diff --git a/tasks/main.yml b/tasks/main.yml index 5e3d55d..5104166 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,30 +1,11 @@ - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - - CCE-90843-4 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651010 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-11.5 - - PCI-DSSv4-11.5.2 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_aide_installed - when: - - DISA_STIG_RHEL_09_651010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_aide_installed | bool + - always - name: Ensure aide is installed - package: + ansible.builtin.package: name: aide state: present when: @@ -50,31 +31,6 @@ - no_reboot_needed - package_aide_installed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83438-2 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651010 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-11.5 - - PCI-DSSv4-11.5.2 - - aide_build_database - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_651010 | bool - - aide_build_database | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Build and Test AIDE Database - Ensure AIDE Is Installed ansible.builtin.package: name: '{{ item }}' @@ -104,6 +60,1470 @@ - no_reboot_needed - restrict_strategy +- name: Ensure aide is installed + ansible.builtin.package: + name: '{{ item }}' + state: present + with_items: + - aide + when: + - DISA_STIG_RHEL_09_651025 | bool + - aide_check_audit_tools | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-87757-1 + - DISA-STIG-RHEL-09-651025 + - NIST-800-53-AU-9(3) + - NIST-800-53-AU-9(3).1 + - aide_check_audit_tools + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure AIDE is installed + ansible.builtin.package: + name: aide + state: present + when: + - DISA_STIG_RHEL_09_651015 | bool + - aide_periodic_cron_checking | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-83437-4 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651015 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 + - aide_periodic_cron_checking + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Install cron + ansible.builtin.package: + name: cronie + state: present + when: + - DISA_STIG_RHEL_09_651015 | bool + - aide_periodic_cron_checking | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-83437-4 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651015 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 + - aide_periodic_cron_checking + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: 'Remove the GDM Package Group: Ensure gdm is removed' + ansible.builtin.package: + name: gdm + state: absent + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_gdm_removed | bool + - '"gdm" in ansible_facts.packages' + tags: + - CCE-83549-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_gdm_removed + +- name: Ensure sudo is installed + ansible.builtin.package: + name: sudo + state: present + when: + - DISA_STIG_RHEL_09_432010 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_sudo_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-83523-1 + - DISA-STIG-RHEL-09-432010 + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_sudo_installed + +- name: Ensure libpwquality is installed + ansible.builtin.package: + name: libpwquality + state: present + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_pam_pwquality_installed | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-86226-8 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_pam_pwquality_installed + +- name: Ensure systemd-journal-remote is installed + ansible.builtin.package: + name: systemd-journal-remote + state: present + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_systemd_journal_remote_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86760-6 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_systemd-journal-remote_installed + +- name: Ensure firewalld is installed + ansible.builtin.package: + name: firewalld + state: present + when: + - DISA_STIG_RHEL_09_251010 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_firewalld_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84021-5 + - DISA-STIG-RHEL-09-251010 + - NIST-800-53-CM-6(a) + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_firewalld_installed + +- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Package is Installed + ansible.builtin.package: + name: '{{ item }}' + state: present + with_items: + - firewalld + when: + - configure_strategy | bool + - firewalld_loopback_traffic_restricted | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86137-7 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.1 + - configure_strategy + - firewalld_loopback_traffic_restricted + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is Installed + ansible.builtin.package: + name: '{{ item }}' + state: present + with_items: + - firewalld + when: + - configure_strategy | bool + - firewalld_loopback_traffic_trusted | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86116-1 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.1 + - configure_strategy + - firewalld_loopback_traffic_trusted + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure nftables is installed + ansible.builtin.package: + name: nftables + state: present + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_nftables_installed | bool + - ( "kernel" in ansible_facts.packages ) + tags: + - CCE-86378-7 + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_nftables_installed + +- name: Ensure NetworkManager is installed + ansible.builtin.package: + name: '{{ item }}' + state: present + with_items: + - NetworkManager + when: + - DISA_STIG_RHEL_09_291040 | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - wireless_disable_interfaces | bool + - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) + tags: + - CCE-84066-0 + - DISA-STIG-RHEL-09-291040 + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - PCI-DSS-Req-1.3.3 + - PCI-DSSv4-1.3 + - PCI-DSSv4-1.3.3 + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + - wireless_disable_interfaces + +- name: Ensure libselinux is installed + ansible.builtin.package: + name: libselinux + state: present + when: + - enable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_libselinux_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84069-4 + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.6 + - enable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_libselinux_installed + +- name: 'Uninstall mcstrans Package: Ensure mcstrans is removed' + ansible.builtin.package: + name: mcstrans + state: absent + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_mcstrans_removed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84072-8 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_mcstrans_removed + +- name: 'Uninstall setroubleshoot Package: Ensure setroubleshoot is removed' + ansible.builtin.package: + name: setroubleshoot + state: absent + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_setroubleshoot_removed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84073-6 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_setroubleshoot_removed + +- name: Ensure cronie is installed + ansible.builtin.package: + name: cronie + state: present + when: + - DISA_STIG_RHEL_09_232040 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_cron_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86170-8 + - DISA-STIG-RHEL-09-232040 + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_cron_installed + +- name: 'Uninstall DHCP Server Package: Ensure dhcp-server is removed' + ansible.builtin.package: + name: dhcp-server + state: absent + tags: + - CCE-84240-1 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_dhcp_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_dhcp_removed | bool + +- name: 'Uninstall dnsmasq Package: Ensure dnsmasq is removed' + ansible.builtin.package: + name: dnsmasq + state: absent + tags: + - CCE-86063-5 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_dnsmasq_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_dnsmasq_removed | bool + +- name: 'Uninstall bind Package: Ensure bind is removed' + ansible.builtin.package: + name: bind + state: absent + tags: + - CCE-86505-5 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_bind_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_bind_removed | bool + +- name: 'Uninstall bind Package: Ensure bind9.18 is removed' + ansible.builtin.package: + name: bind9.18 + state: absent + tags: + - CCE-86505-5 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_bind_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_bind_removed | bool + +- name: 'Remove ftp Package: Ensure ftp is removed' + ansible.builtin.package: + name: ftp + state: absent + tags: + - CCE-86075-9 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_ftp_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_ftp_removed | bool + +- name: 'Uninstall vsftpd Package: Ensure vsftpd is removed' + ansible.builtin.package: + name: vsftpd + state: absent + tags: + - CCE-84159-3 + - DISA-STIG-RHEL-09-215015 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-CM-7.1(ii) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(1).1(v) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_vsftpd_removed + when: + - DISA_STIG_RHEL_09_215015 | bool + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_vsftpd_removed | bool + +- name: 'Uninstall httpd Package: Ensure httpd is removed' + ansible.builtin.package: + name: httpd + state: absent + tags: + - CCE-85974-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_httpd_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_httpd_removed | bool + - unknown_severity | bool + +- name: 'Uninstall nginx Package: Ensure nginx is removed' + ansible.builtin.package: + name: nginx + state: absent + tags: + - CCE-88035-1 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_nginx_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_nginx_removed | bool + - unknown_severity | bool + +- name: 'Uninstall cyrus-imapd Package: Ensure cyrus-imapd is removed' + ansible.builtin.package: + name: cyrus-imapd + state: absent + tags: + - CCE-88120-1 + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_cyrus-imapd_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_cyrus_imapd_removed | bool + - unknown_severity | bool + +- name: 'Uninstall dovecot Package: Ensure dovecot is removed' + ansible.builtin.package: + name: dovecot + state: absent + tags: + - CCE-85977-7 + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_dovecot_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_dovecot_removed | bool + - unknown_severity | bool + +- name: 'Ensure LDAP client is not installed: Ensure openldap-clients is removed' + ansible.builtin.package: + name: openldap-clients + state: absent + tags: + - CCE-90831-9 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_openldap-clients_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_openldap_clients_removed | bool + +- name: Ensure chrony is installed + ansible.builtin.package: + name: chrony + state: present + when: + - DISA_STIG_RHEL_09_252010 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_chrony_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84215-3 + - DISA-STIG-RHEL-09-252010 + - PCI-DSS-Req-10.4 + - PCI-DSSv4-10.6 + - PCI-DSSv4-10.6.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_chrony_installed + +- name: 'Uninstall rsync Package: Ensure rsync-daemon is removed' + ansible.builtin.package: + name: rsync-daemon + state: absent + tags: + - CCE-86336-5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_rsync_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_rsync_removed | bool + +- name: 'Uninstall telnet-server Package: Ensure telnet-server is removed' + ansible.builtin.package: + name: telnet-server + state: absent + tags: + - CCE-84149-4 + - DISA-STIG-RHEL-09-215040 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.2 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_telnet-server_removed + when: + - DISA_STIG_RHEL_09_215040 | bool + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_telnet_server_removed | bool + +- name: 'Remove telnet Clients: Ensure telnet is removed' + ansible.builtin.package: + name: telnet + state: absent + tags: + - CCE-84146-0 + - NIST-800-171-3.1.13 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_telnet_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_telnet_removed | bool + +- name: 'Uninstall tftp-server Package: Ensure tftp-server is removed' + ansible.builtin.package: + name: tftp-server + state: absent + tags: + - CCE-84154-4 + - DISA-STIG-RHEL-09-215060 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_tftp-server_removed + when: + - DISA_STIG_RHEL_09_215060 | bool + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_tftp_server_removed | bool + +- name: 'Remove tftp Daemon: Ensure tftp is removed' + ansible.builtin.package: + name: tftp + state: absent + tags: + - CCE-84153-6 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_tftp_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_tftp_removed | bool + +- name: 'Uninstall squid Package: Ensure squid is removed' + ansible.builtin.package: + name: squid + state: absent + tags: + - CCE-84238-5 + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_squid_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_squid_removed | bool + - unknown_severity | bool + +- name: 'Uninstall Samba Package: Ensure samba is removed' + ansible.builtin.package: + name: samba + state: absent + tags: + - CCE-85979-3 + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_samba_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_samba_removed | bool + - unknown_severity | bool + +- name: 'Uninstall net-snmp Package: Ensure net-snmp is removed' + ansible.builtin.package: + name: net-snmp + state: absent + tags: + - CCE-85981-9 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_net-snmp_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_net_snmp_removed | bool + - unknown_severity | bool + +- name: 'Remove the X Windows Package Group: Ensure xorg-x11-server-common is removed' + ansible.builtin.package: + name: xorg-x11-server-common + state: absent + tags: + - CCE-84104-9 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_xorg-x11-server-common_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_xorg_x11_server_common_removed | bool + +- name: Ensure audit-libs is installed + ansible.builtin.package: + name: audit-libs + state: present + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_audit_libs_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86772-1 + - NIST-800-53-AC-7(a) + - NIST-800-53-AU-12(2) + - NIST-800-53-AU-14 + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-7(1) + - NIST-800-53-AU-7(2) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_audit-libs_installed + +- name: Ensure audit is installed + ansible.builtin.package: + name: audit + state: present + when: + - DISA_STIG_RHEL_09_653010 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_audit_installed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-83649-4 + - DISA-STIG-RHEL-09-653010 + - NIST-800-53-AC-7(a) + - NIST-800-53-AU-12(2) + - NIST-800-53-AU-14 + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-7(1) + - NIST-800-53-AU-7(2) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.1 + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_audit_installed + +- name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + tags: + - always + +- name: Enable systemd-journald Service - Enable service systemd-journald + block: + - name: Enable systemd-journald Service - Enable Service systemd-journald + ansible.builtin.systemd: + name: systemd-journald + enabled: true + state: started + masked: false + when: + - '"systemd" in ansible_facts.packages' + tags: + - CCE-85941-3 + - DISA-STIG-RHEL-09-211040 + - NIST-800-53-SC-24 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_systemd-journald_enabled + - special_service_block + when: + - DISA_STIG_RHEL_09_211040 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_systemd_journald_enabled | bool + - special_service_block | bool + - '"kernel" in ansible_facts.packages' + +- name: Verify firewalld Enabled - Enable service firewalld + block: + - name: Verify firewalld Enabled - Enable Service firewalld + ansible.builtin.systemd: + name: firewalld + enabled: true + state: started + masked: false + when: + - '"firewalld" in ansible_facts.packages' + tags: + - CCE-90833-5 + - DISA-STIG-RHEL-09-251015 + - NIST-800-171-3.1.3 + - NIST-800-171-3.4.7 + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_firewalld_enabled + - special_service_block + when: + - DISA_STIG_RHEL_09_251015 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_firewalld_enabled | bool + - special_service_block | bool + - '"kernel" in ansible_facts.packages' + - '"firewalld" in ansible_facts.packages' + +- name: Verify nftables Service is Disabled - Disable service nftables + block: + - name: Verify nftables Service is Disabled - Collect systemd Services Present in the System + ansible.builtin.command: systemctl -q list-unit-files --type service + register: service_exists + changed_when: false + failed_when: service_exists.rc not in [0, 1] + check_mode: false + - name: Verify nftables Service is Disabled - Ensure nftables.service is Masked + ansible.builtin.systemd: + name: nftables.service + state: stopped + enabled: false + masked: true + when: service_exists.stdout_lines is search("nftables.service", multiline=True) + - name: Unit Socket Exists - nftables.socket + ansible.builtin.command: systemctl -q list-unit-files nftables.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + - name: Verify nftables Service is Disabled - Disable Socket nftables + ansible.builtin.systemd: + name: nftables.socket + enabled: false + state: stopped + masked: true + when: socket_file_exists.stdout_lines is search("nftables.socket", multiline=True) + tags: + - CCE-88429-6 + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.1 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_nftables_disabled + - special_service_block + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_nftables_disabled | bool + - special_service_block | bool + - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages + ) + +- name: Disable Bluetooth Service - Disable service bluetooth + block: + - name: Disable Bluetooth Service - Collect systemd Services Present in the System + ansible.builtin.command: systemctl -q list-unit-files --type service + register: service_exists + changed_when: false + failed_when: service_exists.rc not in [0, 1] + check_mode: false + - name: Disable Bluetooth Service - Ensure bluetooth.service is Masked + ansible.builtin.systemd: + name: bluetooth.service + state: stopped + enabled: false + masked: true + when: service_exists.stdout_lines is search("bluetooth.service", multiline=True) + - name: Unit Socket Exists - bluetooth.socket + ansible.builtin.command: systemctl -q list-unit-files bluetooth.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + - name: Disable Bluetooth Service - Disable Socket bluetooth + ansible.builtin.systemd: + name: bluetooth.socket + enabled: false + state: stopped + masked: true + when: socket_file_exists.stdout_lines is search("bluetooth.socket", multiline=True) + tags: + - CCE-86761-4 + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_bluetooth_disabled + - special_service_block + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_bluetooth_disabled | bool + - special_service_block | bool + - '"kernel" in ansible_facts.packages' + +- name: Disable the Automounter - Disable service autofs + block: + - name: Disable the Automounter - Collect systemd Services Present in the System + ansible.builtin.command: systemctl -q list-unit-files --type service + register: service_exists + changed_when: false + failed_when: service_exists.rc not in [0, 1] + check_mode: false + - name: Disable the Automounter - Ensure autofs.service is Masked + ansible.builtin.systemd: + name: autofs.service + state: stopped + enabled: false + masked: true + when: service_exists.stdout_lines is search("autofs.service", multiline=True) + - name: Unit Socket Exists - autofs.socket + ansible.builtin.command: systemctl -q list-unit-files autofs.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + - name: Disable the Automounter - Disable Socket autofs + ansible.builtin.systemd: + name: autofs.socket + enabled: false + state: stopped + masked: true + when: socket_file_exists.stdout_lines is search("autofs.socket", multiline=True) + tags: + - CCE-83850-8 + - DISA-STIG-RHEL-09-231040 + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_autofs_disabled + - special_service_block + when: + - DISA_STIG_RHEL_09_231040 | bool + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_autofs_disabled | bool + - special_service_block | bool + - ( "autofs" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + +- name: Disable Avahi Server Software - Disable service avahi-daemon + block: + - name: Disable Avahi Server Software - Collect systemd Services Present in the System + ansible.builtin.command: systemctl -q list-unit-files --type service + register: service_exists + changed_when: false + failed_when: service_exists.rc not in [0, 1] + check_mode: false + - name: Disable Avahi Server Software - Ensure avahi-daemon.service is Masked + ansible.builtin.systemd: + name: avahi-daemon.service + state: stopped + enabled: false + masked: true + when: service_exists.stdout_lines is search("avahi-daemon.service", multiline=True) + - name: Unit Socket Exists - avahi-daemon.socket + ansible.builtin.command: systemctl -q list-unit-files avahi-daemon.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + - name: Disable Avahi Server Software - Disable Socket avahi-daemon + ansible.builtin.systemd: + name: avahi-daemon.socket + enabled: false + state: stopped + masked: true + when: socket_file_exists.stdout_lines is search("avahi-daemon.socket", multiline=True) + tags: + - CCE-90824-4 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_avahi-daemon_disabled + - special_service_block + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_avahi_daemon_disabled | bool + - special_service_block | bool + - ( "avahi" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + +- name: Enable cron Service - Enable service crond + block: + - name: Enable cron Service - Enable Service crond + ansible.builtin.systemd: + name: crond + enabled: true + state: started + masked: false + when: + - '"cronie" in ansible_facts.packages' + tags: + - CCE-84163-5 + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_crond_enabled + - special_service_block + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_crond_enabled | bool + - special_service_block | bool + - '"kernel" in ansible_facts.packages' + +- name: Disable rpcbind Service - Disable service rpcbind + block: + - name: Disable rpcbind Service - Collect systemd Services Present in the System + ansible.builtin.command: systemctl -q list-unit-files --type service + register: service_exists + changed_when: false + failed_when: service_exists.rc not in [0, 1] + check_mode: false + - name: Disable rpcbind Service - Ensure rpcbind.service is Masked + ansible.builtin.systemd: + name: rpcbind.service + state: stopped + enabled: false + masked: true + when: service_exists.stdout_lines is search("rpcbind.service", multiline=True) + - name: Unit Socket Exists - rpcbind.socket + ansible.builtin.command: systemctl -q list-unit-files rpcbind.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + - name: Disable rpcbind Service - Disable Socket rpcbind + ansible.builtin.systemd: + name: rpcbind.socket + enabled: false + state: stopped + masked: true + when: socket_file_exists.stdout_lines is search("rpcbind.socket", multiline=True) + tags: + - CCE-84245-0 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.4 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rpcbind_disabled + - special_service_block + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - service_rpcbind_disabled | bool + - special_service_block | bool + - '"kernel" in ansible_facts.packages' + +- name: Disable Network File System (nfs) - Disable service nfs-server + block: + - name: Disable Network File System (nfs) - Collect systemd Services Present in the System + ansible.builtin.command: systemctl -q list-unit-files --type service + register: service_exists + changed_when: false + failed_when: service_exists.rc not in [0, 1] + check_mode: false + - name: Disable Network File System (nfs) - Ensure nfs-server.service is Masked + ansible.builtin.systemd: + name: nfs-server.service + state: stopped + enabled: false + masked: true + when: service_exists.stdout_lines is search("nfs-server.service", multiline=True) + - name: Unit Socket Exists - nfs-server.socket + ansible.builtin.command: systemctl -q list-unit-files nfs-server.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + - name: Disable Network File System (nfs) - Disable Socket nfs-server + ansible.builtin.systemd: + name: nfs-server.socket + enabled: false + state: stopped + masked: true + when: socket_file_exists.stdout_lines is search("nfs-server.socket", multiline=True) + tags: + - CCE-90850-9 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfs_disabled + - special_service_block + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - service_nfs_disabled | bool + - special_service_block | bool + - unknown_severity | bool + - '"kernel" in ansible_facts.packages' + +- name: Disable the CUPS Service - Disable service cups + block: + - name: Disable the CUPS Service - Collect systemd Services Present in the System + ansible.builtin.command: systemctl -q list-unit-files --type service + register: service_exists + changed_when: false + failed_when: service_exists.rc not in [0, 1] + check_mode: false + - name: Disable the CUPS Service - Ensure cups.service is Masked + ansible.builtin.systemd: + name: cups.service + state: stopped + enabled: false + masked: true + when: service_exists.stdout_lines is search("cups.service", multiline=True) + - name: Unit Socket Exists - cups.socket + ansible.builtin.command: systemctl -q list-unit-files cups.socket + register: socket_file_exists + changed_when: false + failed_when: socket_file_exists.rc not in [0, 1] + check_mode: false + - name: Disable the CUPS Service - Disable Socket cups + ansible.builtin.systemd: + name: cups.socket + enabled: false + state: stopped + masked: true + when: socket_file_exists.stdout_lines is search("cups.socket", multiline=True) + tags: + - CCE-90795-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_cups_disabled + - special_service_block + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - service_cups_disabled | bool + - special_service_block | bool + - unknown_severity | bool + - '"kernel" in ansible_facts.packages' + +- name: Enable auditd Service - Enable service auditd + block: + - name: Enable auditd Service - Enable Service auditd + ansible.builtin.systemd: + name: auditd + enabled: true + state: started + masked: false + when: + - '"audit" in ansible_facts.packages' + tags: + - CCE-90829-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-653015 + - NIST-800-171-3.3.1 + - NIST-800-171-3.3.2 + - NIST-800-171-3.3.6 + - NIST-800-53-AC-2(g) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-10 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-14(1) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-4(23) + - PCI-DSS-Req-10.1 + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_auditd_enabled + - special_service_block + when: + - DISA_STIG_RHEL_09_653015 | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_auditd_enabled | bool + - special_service_block | bool + - '"kernel" in ansible_facts.packages' + - '"audit" in ansible_facts.packages' + +- name: Gather the service facts + ansible.builtin.service_facts: null + tags: + - always + - name: Build and Test AIDE Database - Build and Test AIDE Database ansible.builtin.command: /usr/sbin/aide --init changed_when: true @@ -187,83 +1607,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87757-1 - - DISA-STIG-RHEL-09-651025 - - NIST-800-53-AU-9(3) - - NIST-800-53-AU-9(3).1 - - aide_check_audit_tools - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_651025 | bool - - aide_check_audit_tools | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Configure AIDE to Verify the Audit Tools - Gather List of Packages - tags: - - CCE-87757-1 - - DISA-STIG-RHEL-09-651025 - - NIST-800-53-AU-9(3) - - NIST-800-53-AU-9(3).1 - - aide_check_audit_tools - - aide_check_audit_tools - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - ansible.builtin.package_facts: - manager: auto - when: - - DISA_STIG_RHEL_09_651025 | bool - - aide_check_audit_tools | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' - -- name: Ensure aide is installed - package: - name: '{{ item }}' - state: present - with_items: - - aide - when: - - DISA_STIG_RHEL_09_651025 | bool - - aide_check_audit_tools | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-87757-1 - - DISA-STIG-RHEL-09-651025 - - NIST-800-53-AU-9(3) - - NIST-800-53-AU-9(3).1 - - aide_check_audit_tools - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - name: Set audit_tools fact - set_fact: + ansible.builtin.set_fact: audit_tools: - /usr/sbin/auditctl - /usr/sbin/auditd @@ -294,10 +1639,11 @@ - restrict_strategy - name: Ensure existing AIDE configuration for audit tools are correct - lineinfile: + ansible.builtin.lineinfile: path: /etc/aide.conf regexp: ^{{ item }}\s line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512' + create: true with_items: '{{ audit_tools }}' when: - DISA_STIG_RHEL_09_651025 | bool @@ -308,6 +1654,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"kernel" in ansible_facts.packages' + - '"aide" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 @@ -321,9 +1668,10 @@ - restrict_strategy - name: Configure AIDE to properly protect audit tools - lineinfile: + ansible.builtin.lineinfile: path: /etc/aide.conf line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512' + create: true with_items: '{{ audit_tools }}' when: - DISA_STIG_RHEL_09_651025 | bool @@ -334,6 +1682,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"kernel" in ansible_facts.packages' + - '"aide" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 @@ -346,153 +1695,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83437-4 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - PCI-DSS-Req-11.5 - - PCI-DSSv4-11.5.2 - - aide_periodic_cron_checking - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_651015 | bool - - aide_periodic_cron_checking | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Ensure AIDE is installed - package: - name: '{{ item }}' - state: present - with_items: - - aide - when: - - DISA_STIG_RHEL_09_651015 | bool - - aide_periodic_cron_checking | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-83437-4 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - PCI-DSS-Req-11.5 - - PCI-DSSv4-11.5.2 - - aide_periodic_cron_checking - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set cron package name - RedHat - set_fact: - cron_pkg_name: cronie - when: - - DISA_STIG_RHEL_09_651015 | bool - - aide_periodic_cron_checking | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' - - ansible_os_family == "RedHat" or ansible_os_family == "Suse" - tags: - - CCE-83437-4 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - PCI-DSS-Req-11.5 - - PCI-DSSv4-11.5.2 - - aide_periodic_cron_checking - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Set cron package name - Debian - set_fact: - cron_pkg_name: cron - when: - - DISA_STIG_RHEL_09_651015 | bool - - aide_periodic_cron_checking | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' - - ansible_os_family == "Debian" - tags: - - CCE-83437-4 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - PCI-DSS-Req-11.5 - - PCI-DSSv4-11.5.2 - - aide_periodic_cron_checking - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Install cron - package: - name: '{{ cron_pkg_name }}' - state: present - when: - - DISA_STIG_RHEL_09_651015 | bool - - aide_periodic_cron_checking | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-83437-4 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - PCI-DSS-Req-11.5 - - PCI-DSSv4-11.5.2 - - aide_periodic_cron_checking - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - name: Configure Periodic Execution of AIDE - cron: + ansible.builtin.cron: name: run AIDE check minute: 5 hour: 4 @@ -525,7 +1729,7 @@ - restrict_strategy - name: Configure System Cryptography Policy - lineinfile: + ansible.builtin.lineinfile: path: /etc/crypto-policies/config regexp: ^(?!#)(\S+)$ line: '{{ var_system_crypto_policy }}' @@ -533,7 +1737,6 @@ tags: - CCE-83450-7 - DISA-STIG-RHEL-09-215105 - - DISA-STIG-RHEL-09-671010 - DISA-STIG-RHEL-09-672030 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) @@ -552,7 +1755,6 @@ - restrict_strategy when: - DISA_STIG_RHEL_09_215105 | bool - - DISA_STIG_RHEL_09_671010 | bool - DISA_STIG_RHEL_09_672030 | bool - configure_crypto_policy | bool - high_severity | bool @@ -562,11 +1764,10 @@ - restrict_strategy | bool - name: Verify that Crypto Policy is Set (runtime) - command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} + ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} tags: - CCE-83450-7 - DISA-STIG-RHEL-09-215105 - - DISA-STIG-RHEL-09-671010 - DISA-STIG-RHEL-09-672030 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) @@ -585,7 +1786,6 @@ - restrict_strategy when: - DISA_STIG_RHEL_09_215105 | bool - - DISA_STIG_RHEL_09_671010 | bool - DISA_STIG_RHEL_09_672030 | bool - configure_crypto_policy | bool - high_severity | bool @@ -595,7 +1795,7 @@ - restrict_strategy | bool - name: Configure SSH to use System Crypto Policy - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sysconfig/sshd state: absent regexp: (?i)^\s*CRYPTO_POLICY.*$ @@ -623,76 +1823,6 @@ - medium_severity | bool - reboot_required | bool -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83549-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_gdm_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_gdm_removed | bool - -- name: 'Remove the GDM Package Group: Ensure gdm is removed' - ansible.builtin.package: - name: gdm - state: absent - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_gdm_removed | bool - - '"gdm" in ansible_facts.packages' - tags: - - CCE-83549-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_gdm_removed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87295-2 - - DISA-STIG-RHEL-09-271090 - - PCI-DSS-Req-6.2 - - PCI-DSSv4-8.2 - - PCI-DSSv4-8.2.8 - - dconf_db_up_to_date - - high_severity - - low_complexity - - medium_disruption - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271090 | bool - - dconf_db_up_to_date | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Run dconf update ansible.builtin.command: cmd: dconf update @@ -719,31 +1849,8 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-88285-2 - - DISA-STIG-RHEL-09-271115 - - NIST-800-53-AC-23 - - NIST-800-53-CM-6(a) - - dconf_gnome_disable_user_list - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271115 | bool - - dconf_gnome_disable_user_list | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Disable the GNOME3 Login User List - ini_file: + community.general.ini_file: dest: /etc/dconf/db/distro.d/00-security-settings section: org/gnome/login-screen option: disable-user-list @@ -772,7 +1879,7 @@ - unknown_strategy - name: Prevent user modification of GNOME3 disablement of Login User List - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/disable-user-list$ line: /org/gnome/login-screen/disable-user-list @@ -799,7 +1906,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271115 | bool - dconf_gnome_disable_user_list | bool @@ -821,27 +1928,8 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86033-8 - - gnome_gdm_disable_xdmcp - - high_severity - - low_complexity - - medium_disruption - - no_reboot_needed - - unknown_strategy - when: - - gnome_gdm_disable_xdmcp | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Disable XDMCP in GDM - ini_file: + community.general.ini_file: path: /etc/gdm/custom.conf section: xdmcp option: Enable @@ -865,31 +1953,6 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87734-0 - - NIST-800-171-3.1.7 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-3.4 - - PCI-DSSv4-3.4.2 - - dconf_gnome_disable_automount - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - dconf_gnome_disable_automount | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Disable GNOME3 Automounting - automount community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings @@ -922,7 +1985,7 @@ - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - automount - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/automount$ line: /org/gnome/desktop/media-handling/automount @@ -951,7 +2014,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - dconf_gnome_disable_automount | bool - low_complexity | bool @@ -975,37 +2038,8 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90128-0 - - DISA-STIG-RHEL-09-271020 - - DISA-STIG-RHEL-09-271025 - - NIST-800-171-3.1.7 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-3.4 - - PCI-DSSv4-3.4.2 - - dconf_gnome_disable_automount_open - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271020 | bool - - DISA_STIG_RHEL_09_271025 | bool - - dconf_gnome_disable_automount_open | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Disable GNOME3 Automounting - automount-open - ini_file: + community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount-open @@ -1040,7 +2074,7 @@ - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - automount-open - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/automount-open$ line: /org/gnome/desktop/media-handling/automount-open @@ -1073,7 +2107,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271020 | bool - DISA_STIG_RHEL_09_271025 | bool @@ -1101,33 +2135,6 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90257-7 - - DISA-STIG-RHEL-09-271030 - - DISA-STIG-RHEL-09-271035 - - NIST-800-171-3.1.7 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - dconf_gnome_disable_autorun - - low_complexity - - low_severity - - medium_disruption - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271030 | bool - - DISA_STIG_RHEL_09_271035 | bool - - dconf_gnome_disable_autorun | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Disable GNOME3 Automounting - autorun-never community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings @@ -1162,7 +2169,7 @@ - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - autorun-never - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/autorun-never$ line: /org/gnome/desktop/media-handling/autorun-never @@ -1193,7 +2200,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271030 | bool - DISA_STIG_RHEL_09_271035 | bool @@ -1219,34 +2226,6 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86510-5 - - CJIS-5.5.5 - - DISA-STIG-RHEL-09-271065 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - PCI-DSSv4-8.2 - - PCI-DSSv4-8.2.8 - - dconf_gnome_screensaver_idle_delay - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271065 | bool - - dconf_gnome_screensaver_idle_delay | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Set GNOME3 Screensaver Inactivity Timeout community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings @@ -1282,7 +2261,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271065 | bool - dconf_gnome_screensaver_idle_delay | bool @@ -1309,33 +2288,6 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86954-5 - - DISA-STIG-RHEL-09-271075 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - PCI-DSSv4-8.2 - - PCI-DSSv4-8.2.8 - - dconf_gnome_screensaver_lock_delay - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271075 | bool - - dconf_gnome_screensaver_lock_delay | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Set GNOME3 Screensaver Lock Delay After Activation Period community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings @@ -1370,7 +2322,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271075 | bool - dconf_gnome_screensaver_lock_delay | bool @@ -1396,31 +2348,8 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87491-7 - - DISA-STIG-RHEL-09-271080 - - NIST-800-171-3.1.10 - - NIST-800-53-CM-6(a) - - dconf_gnome_screensaver_user_locks - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271080 | bool - - dconf_gnome_screensaver_user_locks | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Prevent user modification of GNOME lock-delay - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/lock-delay$ line: /org/gnome/desktop/screensaver/lock-delay @@ -1447,7 +2376,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271080 | bool - dconf_gnome_screensaver_user_locks | bool @@ -1469,34 +2398,8 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85971-0 - - DISA-STIG-RHEL-09-271070 - - NIST-800-171-3.1.10 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - PCI-DSSv4-8.2 - - PCI-DSSv4-8.2.8 - - dconf_gnome_session_idle_user_locks - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271070 | bool - - dconf_gnome_session_idle_user_locks | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Prevent user modification of GNOME Session idle-delay - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/session/idle-delay$ line: /org/gnome/desktop/session/idle-delay @@ -1526,7 +2429,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271070 | bool - dconf_gnome_session_idle_user_locks | bool @@ -1551,80 +2454,8 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83523-1 - - DISA-STIG-RHEL-09-432010 - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_sudo_installed - when: - - DISA_STIG_RHEL_09_432010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_sudo_installed | bool - -- name: Ensure sudo is installed - package: - name: sudo - state: present - when: - - DISA_STIG_RHEL_09_432010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_sudo_installed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-83523-1 - - DISA-STIG-RHEL-09-432010 - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_sudo_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83538-9 - - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_add_use_pty - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_add_use_pty | bool - - name: Ensure use_pty is enabled in /etc/sudoers - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults.*\buse_pty\b.*$ line: Defaults use_pty @@ -1636,6 +2467,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_add_use_pty | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-83538-9 @@ -1649,30 +2481,8 @@ - restrict_strategy - sudo_add_use_pty -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83527-2 - - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - restrict_strategy - - sudo_custom_logfile - when: - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_custom_logfile | bool - - name: Ensure logfile is enabled with the appropriate value in /etc/sudoers - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?.+\b(.*)$ line: Defaults \1logfile={{ var_sudo_logfile }}\2 @@ -1686,6 +2496,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_custom_logfile | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-83527-2 @@ -1700,7 +2511,7 @@ - sudo_custom_logfile - name: Enable logfile option with appropriate value in /etc/sudoers - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: Defaults logfile={{ var_sudo_logfile }} validate: /usr/sbin/visudo -cf %s @@ -1711,6 +2522,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_custom_logfile | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' - edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed tags: @@ -1730,6 +2542,14 @@ paths: - /etc/sudoers.d/ register: sudoers + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sudo_require_authentication | bool + - '"kernel" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -1742,13 +2562,6 @@ - no_reboot_needed - restrict_strategy - sudo_require_authentication - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_require_authentication | bool - name: Remove lines containing NOPASSWD from sudoers files ansible.builtin.replace: @@ -1759,6 +2572,14 @@ with_items: - path: /etc/sudoers - '{{ sudoers.files }}' + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sudo_require_authentication | bool + - '"kernel" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -1771,19 +2592,20 @@ - no_reboot_needed - restrict_strategy - sudo_require_authentication - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_require_authentication | bool - name: Find /etc/sudoers.d/ files ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sudo_require_authentication | bool + - '"kernel" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -1796,13 +2618,6 @@ - no_reboot_needed - restrict_strategy - sudo_require_authentication - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_require_authentication | bool - name: Remove lines containing !authenticate from sudoers files ansible.builtin.replace: @@ -1813,6 +2628,14 @@ with_items: - path: /etc/sudoers - '{{ sudoers.files }}' + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sudo_require_authentication | bool + - '"kernel" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -1825,37 +2648,6 @@ - no_reboot_needed - restrict_strategy - sudo_require_authentication - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_require_authentication | bool - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90029-0 - - DISA-STIG-RHEL-09-432015 - - NIST-800-53-IA-11 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sudo_require_reauthentication - when: - - DISA_STIG_RHEL_09_432015 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_require_reauthentication | bool - name: Require Re-Authentication When Using the sudo Command - Find /etc/sudoers.d/* files containing 'Defaults timestamp_timeout' ansible.builtin.find: @@ -1871,6 +2663,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -1900,6 +2693,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -1930,6 +2724,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -1957,6 +2752,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' - 'edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed @@ -1988,6 +2784,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool + - '"kernel" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -2002,41 +2799,6 @@ - restrict_strategy - sudo_require_reauthentication -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83457-2 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-09-214015 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - PCI-DSSv4-6.3 - - PCI-DSSv4-6.3.3 - - configure_strategy - - ensure_gpgcheck_globally_activated - - high_severity - - low_complexity - - medium_disruption - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_214015 | bool - - configure_strategy | bool - - ensure_gpgcheck_globally_activated | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - name: Ensure GPG check is globally activated community.general.ini_file: dest: /etc/dnf/dnf.conf @@ -2078,6 +2840,89 @@ - medium_disruption - no_reboot_needed +- name: Grep for dnf repo section names + ansible.builtin.shell: 'set -o pipefail + + grep -HEr ''^\[.+\]'' -r /etc/yum.repos.d/ + + ' + register: repo_grep_results + failed_when: repo_grep_results.rc not in [0, 1] + changed_when: false + tags: + - CCE-83464-8 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214025 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3 + - PCI-DSSv4-6.3.3 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_214025 | bool + - enable_strategy | bool + - ensure_gpgcheck_never_disabled | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + +- name: Set gpgcheck=1 for each dnf repo + community.general.ini_file: + path: '{{ item[0] }}' + section: '{{ item[1] }}' + option: gpgcheck + value: '1' + no_extra_spaces: true + loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) if repo_grep_results is not skipped else + [] }}' + when: + - DISA_STIG_RHEL_09_214025 | bool + - enable_strategy | bool + - ensure_gpgcheck_never_disabled | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - repo_grep_results is not skipped + tags: + - CCE-83464-8 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214025 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3 + - PCI-DSSv4-6.3.3 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - name: Enable authselect - Check Current authselect Profile ansible.builtin.command: cmd: authselect current @@ -2217,25 +3062,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86142-7 - - banner_etc_issue_cis - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - banner_etc_issue_cis | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure Local Login Warning Banner Is Configured Properly - Copy using inline content ansible.builtin.copy: content: '{{ cis_banner_text }}' @@ -2257,25 +3083,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86143-5 - - banner_etc_issue_net_cis - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - banner_etc_issue_net_cis | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure Remote Login Warning Banner Is Configured Properly - Copy using inline content ansible.builtin.copy: content: '{{ cis_banner_text }}' @@ -2297,25 +3104,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86141-9 - - banner_etc_motd_cis - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - banner_etc_motd_cis | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure Message Of The Day Is Configured Properly - Copy using inline content ansible.builtin.copy: content: '{{ cis_banner_text }}' @@ -2338,7 +3126,7 @@ - restrict_strategy - name: Set the file_groupowner_etc_issue_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_issue_newgroup: '0' tags: - CCE-86699-6 @@ -2357,7 +3145,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/issue - stat: + ansible.builtin.stat: path: /etc/issue register: file_exists tags: @@ -2377,8 +3165,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/issue - file: + ansible.builtin.file: path: /etc/issue + follow: false group: '{{ file_groupowner_etc_issue_newgroup }}' when: - configure_strategy | bool @@ -2398,7 +3187,7 @@ - no_reboot_needed - name: Set the file_groupowner_etc_issue_net_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_issue_net_newgroup: '0' tags: - CCE-86052-8 @@ -2419,7 +3208,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/issue.net - stat: + ansible.builtin.stat: path: /etc/issue.net register: file_exists tags: @@ -2441,8 +3230,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/issue.net - file: + ansible.builtin.file: path: /etc/issue.net + follow: false group: '{{ file_groupowner_etc_issue_net_newgroup }}' when: - configure_strategy | bool @@ -2464,7 +3254,7 @@ - no_reboot_needed - name: Set the file_groupowner_etc_motd_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_motd_newgroup: '0' tags: - CCE-86697-0 @@ -2483,7 +3273,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/motd - stat: + ansible.builtin.stat: path: /etc/motd register: file_exists tags: @@ -2503,8 +3293,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/motd - file: + ansible.builtin.file: path: /etc/motd + follow: false group: '{{ file_groupowner_etc_motd_newgroup }}' when: - configure_strategy | bool @@ -2524,7 +3315,7 @@ - no_reboot_needed - name: Set the file_owner_etc_issue_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_issue_newown: '0' tags: - CCE-86700-2 @@ -2543,7 +3334,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/issue - stat: + ansible.builtin.stat: path: /etc/issue register: file_exists tags: @@ -2563,8 +3354,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/issue - file: + ansible.builtin.file: path: /etc/issue + follow: false owner: '{{ file_owner_etc_issue_newown }}' when: - configure_strategy | bool @@ -2584,7 +3376,7 @@ - no_reboot_needed - name: Set the file_owner_etc_issue_net_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_issue_net_newown: '0' tags: - CCE-86057-7 @@ -2605,7 +3397,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/issue.net - stat: + ansible.builtin.stat: path: /etc/issue.net register: file_exists tags: @@ -2627,8 +3419,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/issue.net - file: + ansible.builtin.file: path: /etc/issue.net + follow: false owner: '{{ file_owner_etc_issue_net_newown }}' when: - configure_strategy | bool @@ -2650,7 +3443,7 @@ - no_reboot_needed - name: Set the file_owner_etc_motd_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_motd_newown: '0' tags: - CCE-86698-8 @@ -2669,7 +3462,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/motd - stat: + ansible.builtin.stat: path: /etc/motd register: file_exists tags: @@ -2689,8 +3482,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/motd - file: + ansible.builtin.file: path: /etc/motd + follow: false owner: '{{ file_owner_etc_motd_newown }}' when: - configure_strategy | bool @@ -2710,7 +3504,7 @@ - no_reboot_needed - name: Test for existence /etc/issue - stat: + ansible.builtin.stat: path: /etc/issue register: file_exists tags: @@ -2730,7 +3524,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/issue - file: + ansible.builtin.file: path: /etc/issue mode: u-xs,g-xws,o-xwt when: @@ -2751,7 +3545,7 @@ - no_reboot_needed - name: Test for existence /etc/issue.net - stat: + ansible.builtin.stat: path: /etc/issue.net register: file_exists tags: @@ -2773,7 +3567,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/issue.net - file: + ansible.builtin.file: path: /etc/issue.net mode: u-xs,g-xws,o-xwt when: @@ -2796,7 +3590,7 @@ - no_reboot_needed - name: Test for existence /etc/motd - stat: + ansible.builtin.stat: path: /etc/motd register: file_exists tags: @@ -2816,7 +3610,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/motd - file: + ansible.builtin.file: path: /etc/motd mode: u-xs,g-xws,o-xwt when: @@ -2836,33 +3630,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87599-7 - - DISA-STIG-RHEL-09-271010 - - DISA-STIG-RHEL-09-271015 - - NIST-800-171-3.1.9 - - NIST-800-53-AC-8(a) - - NIST-800-53-AC-8(b) - - NIST-800-53-AC-8(c) - - dconf_gnome_banner_enabled - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_271010 | bool - - DISA_STIG_RHEL_09_271015 | bool - - dconf_gnome_banner_enabled | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Enable GNOME3 Login Warning Banner community.general.ini_file: dest: /etc/dconf/db/distro.d/00-security-settings @@ -2897,7 +3664,7 @@ - unknown_strategy - name: Prevent user modification of GNOME banner-message-enabled - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/banner-message-enable$ line: /org/gnome/login-screen/banner-message-enable @@ -2928,7 +3695,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271010 | bool - DISA_STIG_RHEL_09_271015 | bool @@ -2954,32 +3721,8 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86529-5 - - DISA-STIG-RHEL-09-171011 - - NIST-800-171-3.1.9 - - NIST-800-53-AC-8(a) - - NIST-800-53-AC-8(c) - - dconf_gnome_login_banner_text - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - DISA_STIG_RHEL_09_171011 | bool - - dconf_gnome_login_banner_text | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - name: Set the GNOME3 Login Warning Banner Text - file: + ansible.builtin.file: path: /etc/dconf/db/{{ item }} owner: root group: root @@ -3011,7 +3754,7 @@ - unknown_strategy - name: Set the GNOME3 Login Warning Banner Text - file: + ansible.builtin.file: path: /etc/dconf/db/distro.d/{{ item }} owner: root group: root @@ -3075,7 +3818,7 @@ - unknown_strategy - name: Prevent user modification of the GNOME3 Login Warning Banner Text - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/banner-message-text$ line: /org/gnome/login-screen/banner-message-text @@ -3104,7 +3847,7 @@ - unknown_strategy - name: Dconf Update - command: dconf update + ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool @@ -3127,46 +3870,6 @@ - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86226-8 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_pam_pwquality_installed - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_pam_pwquality_installed | bool - -- name: Ensure libpwquality is installed - package: - name: libpwquality - state: present - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_pam_pwquality_installed | bool - - '"pam" in ansible_facts.packages' - tags: - - CCE-86226-8 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_pam_pwquality_installed - - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Check if system relies on authselect tool ansible.builtin.stat: @@ -3200,12 +3903,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -3219,6 +3923,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Ensure "with-faillock" feature @@ -3357,12 +4062,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -3376,6 +4082,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Ensure "with-faillock" feature @@ -3481,32 +4188,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86354-8 - - CJIS-5.6.2.1.1 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.7 - - accounts_password_pam_pwhistory_remember_password_auth - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - when: - - accounts_password_pam_pwhistory_remember_password_auth | bool - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect @@ -3540,6 +4221,7 @@ cmd: authselect list-features sssd register: result_authselect_available_features changed_when: false + check_mode: false when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool @@ -3572,11 +4254,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -3590,6 +4273,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: password-auth - Ensure "with-pwhistory" feature is enabled using authselect tool' @@ -3647,11 +4331,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3686,6 +4371,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -3695,11 +4381,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -3707,6 +4395,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -3746,6 +4435,8 @@ - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used' @@ -3885,11 +4576,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile @@ -3925,6 +4617,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -3934,11 +4627,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -3946,6 +4641,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -3986,11 +4682,17 @@ profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: '' + - name: 'Limit Password Reuse: password-auth - Check if {{ pam_file_path }} file is present' + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: 'Limit Password Reuse: password-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in {{ pam_file_path }}' ansible.builtin.replace: @@ -3998,6 +4700,7 @@ regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b @@ -4047,11 +4750,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -4086,6 +4790,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -4095,11 +4800,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -4107,6 +4814,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -4146,6 +4854,8 @@ - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used' @@ -4218,6 +4928,7 @@ state: present register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_add when: + - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found is defined - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found == 0 - name: 'Limit Password Reuse: password-auth - Ensure the required value for "remember" PAM option from "pam_pwhistory.so" in {{ pam_file_path }}' @@ -4261,32 +4972,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-89176-2 - - CJIS-5.6.2.1.1 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.7 - - accounts_password_pam_pwhistory_remember_system_auth - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - when: - - accounts_password_pam_pwhistory_remember_system_auth | bool - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect @@ -4320,6 +5005,7 @@ cmd: authselect list-features sssd register: result_authselect_available_features changed_when: false + check_mode: false when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool @@ -4352,11 +5038,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -4370,6 +5057,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: system-auth - Ensure "with-pwhistory" feature is enabled using authselect tool' @@ -4427,11 +5115,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -4466,6 +5155,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -4475,11 +5165,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -4487,6 +5179,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -4526,6 +5219,8 @@ - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used' @@ -4664,11 +5359,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile @@ -4704,6 +5400,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -4713,11 +5410,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -4725,6 +5424,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -4764,11 +5464,17 @@ - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: '' + - name: 'Limit Password Reuse: system-auth - Check if {{ pam_file_path }} file is present' + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: 'Limit Password Reuse: system-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in {{ pam_file_path }}' ansible.builtin.replace: @@ -4776,6 +5482,7 @@ regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b @@ -4825,11 +5532,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -4864,6 +5572,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -4873,11 +5582,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -4885,6 +5596,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -4924,6 +5636,8 @@ - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used' @@ -4996,6 +5710,7 @@ state: present register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_add when: + - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found is defined - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found == 0 - name: 'Limit Password Reuse: system-auth - Ensure the required value for "remember" PAM option from "pam_pwhistory.so" in {{ pam_file_path }}' @@ -5039,34 +5754,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83587-6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-09-411075 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.6 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.4 - - accounts_passwords_pam_faillock_deny - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_411075 | bool - - accounts_passwords_pam_faillock_deny | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect @@ -5104,11 +5791,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -5122,6 +5810,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect tool @@ -5319,11 +6008,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -5360,6 +6050,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -5369,11 +6060,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -5381,6 +6074,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -5421,12 +6115,18 @@ profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' + - name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path }} file is present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: @@ -5434,6 +6134,7 @@ regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b @@ -5462,11 +6163,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -5503,6 +6205,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -5512,11 +6215,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -5524,6 +6229,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -5564,12 +6270,18 @@ profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' + - name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path }} file is present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: @@ -5577,6 +6289,7 @@ regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b @@ -5702,30 +6415,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83589-2 - - DISA-STIG-RHEL-09-411080 - - NIST-800-53-AC-7(b) - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(c) - - accounts_passwords_pam_faillock_deny_root - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_411080 | bool - - accounts_passwords_pam_faillock_deny_root | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Configure the root Account for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect @@ -5759,12 +6448,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -5778,6 +6468,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: Configure the root Account for Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect @@ -5962,12 +6653,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -6005,6 +6697,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -6015,12 +6708,14 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -6029,6 +6724,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -6069,12 +6765,18 @@ custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' + - name: Configure the root Account for Failed Password Attempts - Check if {{ pam_file_path }} file is present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: @@ -6082,6 +6784,7 @@ regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b @@ -6111,12 +6814,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -6154,6 +6858,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -6164,12 +6869,14 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -6178,6 +6885,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -6218,12 +6926,18 @@ custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' + - name: Configure the root Account for Failed Password Attempts - Check if {{ pam_file_path }} file is present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: @@ -6231,6 +6945,7 @@ regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b @@ -6323,34 +7038,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83588-4 - - CJIS-5.5.3 - - DISA-STIG-RHEL-09-411090 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.4 - - accounts_passwords_pam_faillock_unlock_time - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_411090 | bool - - accounts_passwords_pam_faillock_unlock_time | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect @@ -6388,11 +7075,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -6406,6 +7094,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect tool @@ -6603,12 +7292,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -6645,6 +7335,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -6654,11 +7345,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -6666,6 +7359,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -6706,12 +7400,18 @@ profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' + - name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path }} file is present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: @@ -6719,6 +7419,7 @@ regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b @@ -6747,12 +7448,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -6789,6 +7491,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -6798,11 +7501,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -6810,6 +7515,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -6850,12 +7556,18 @@ profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' + - name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path }} file is present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: result_pam_file_present - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: @@ -6863,6 +7575,7 @@ regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal + when: result_pam_file_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b @@ -6988,31 +7701,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-88413-0 - - DISA-STIG-RHEL-09-611105 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_dictcheck - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611105 | bool - - accounts_password_pam_dictcheck | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ @@ -7100,32 +7788,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83564-5 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-09-611115 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(b) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_difok - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611115 | bool - - accounts_password_pam_difok | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure PAM Enforces Password Requirements - Minimum Different Characters - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ @@ -7215,33 +7877,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86356-3 - - DISA-STIG-RHEL-09-611060 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_enforce_root - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611060 | bool - - accounts_password_pam_enforce_root | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure PAM Enforces Password Requirements - Enforce for root User - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf create: true regexp: '' @@ -7270,30 +7907,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83567-8 - - DISA-STIG-RHEL-09-611125 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_maxrepeat - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611125 | bool - - accounts_password_pam_maxrepeat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set Password Maximum Consecutive Repeating Characters - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ @@ -7377,31 +7990,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83563-7 - - DISA-STIG-RHEL-09-611130 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_minclass - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611130 | bool - - accounts_password_pam_minclass | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ @@ -7488,35 +8076,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83579-3 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-09-611090 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.6 - - accounts_password_pam_minlen - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611090 | bool - - accounts_password_pam_minlen | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure PAM Enforces Password Requirements - Minimum Length - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ @@ -7615,35 +8174,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-88865-1 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-09-611135 - - NIST-800-171-3.13.11 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - set_password_hashing_algorithm_libuserconf - when: - - DISA_STIG_RHEL_09_611135 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - set_password_hashing_algorithm_libuserconf | bool - - name: Set Password Hashing Algorithm in /etc/libuser.conf - Set Password Hashing Algorithm in /etc/libuser.conf ansible.builtin.lineinfile: dest: /etc/libuser.conf @@ -7679,37 +8209,8 @@ - restrict_strategy - set_password_hashing_algorithm_libuserconf -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90590-1 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-09-611140 - - NIST-800-171-3.13.11 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - set_password_hashing_algorithm_logindefs - when: - - DISA_STIG_RHEL_09_611140 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - set_password_hashing_algorithm_logindefs | bool - - name: Set Password Hashing Algorithm in /etc/login.defs - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }} @@ -7742,33 +8243,6 @@ - restrict_strategy - set_password_hashing_algorithm_logindefs -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85946-2 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-09-671025 - - NIST-800-171-3.13.11 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - set_password_hashing_algorithm_passwordauth - when: - - DISA_STIG_RHEL_09_671025 | bool - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - set_password_hashing_algorithm_passwordauth | bool - - name: Set PAM's Password Hashing Algorithm - password-auth - Check if /etc/pam.d/password-auth file is present ansible.builtin.stat: path: /etc/pam.d/password-auth @@ -7815,12 +8289,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - password-auth - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -7856,6 +8331,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -7866,12 +8342,14 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -7879,6 +8357,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -7919,6 +8398,8 @@ authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set PAM's Password Hashing Algorithm - password-auth - Define a fact for control already filtered in case filters @@ -7998,6 +8479,7 @@ state: present register: result_pam_set_password_hashing_algorithm_passwordauth_add when: + - result_pam_module_set_password_hashing_algorithm_passwordauth_option_present.found is defined - result_pam_module_set_password_hashing_algorithm_passwordauth_option_present.found == 0 - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: @@ -8078,12 +8560,13 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - password-auth - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -8119,6 +8602,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -8129,12 +8613,14 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -8142,6 +8628,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -8182,15 +8669,23 @@ authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists + - name: Set PAM's Password Hashing Algorithm - password-auth - Check if "{{ pam_file_path }}" File is Present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: pam_file_path_present - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure That Only the Correct Hashing Algorithm Option For - pam_unix.so Is Used in /etc/pam.d/password-auth + pam_unix.so Is Used in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*) replace: \1\2 - when: item != var_password_hashing_algorithm_pam + when: + - item != var_password_hashing_algorithm_pam + - pam_file_path_present.stat.exists loop: - sha512 - yescrypt @@ -8232,33 +8727,6 @@ - no_reboot_needed - set_password_hashing_algorithm_passwordauth -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83581-9 - - CJIS-5.6.2.2 - - NIST-800-171-3.13.11 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.2 - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - set_password_hashing_algorithm_systemauth - when: - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - set_password_hashing_algorithm_systemauth | bool - - name: Set PAM's Password Hashing Algorithm - Check if /etc/pam.d/system-auth file is present ansible.builtin.stat: path: /etc/pam.d/system-auth @@ -8304,11 +8772,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -8343,6 +8812,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -8352,11 +8822,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -8364,6 +8836,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -8403,6 +8876,8 @@ - name: Set PAM's Password Hashing Algorithm - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set PAM's Password Hashing Algorithm - Define a fact for control already filtered in case filters are used @@ -8476,6 +8951,7 @@ state: present register: result_pam_set_password_hashing_algorithm_systemauth_add when: + - result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found is defined - result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found == 0 - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: @@ -8555,11 +9031,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -8594,6 +9071,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") @@ -8603,11 +9081,13 @@ register: result_authselect_custom_profile_present changed_when: false when: + - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists @@ -8615,6 +9095,7 @@ ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: + - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists @@ -8654,15 +9135,23 @@ - name: Set PAM's Password Hashing Algorithm - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - authselect_custom_profile is defined when: - result_authselect_present.stat.exists + - name: Set PAM's Password Hashing Algorithm - Check if "{{ pam_file_path }}" File is Present + ansible.builtin.stat: + path: '{{ pam_file_path }}' + register: pam_file_path_present - name: Set PAM's Password Hashing Algorithm - Ensure That Only the Correct Hashing Algorithm Option For pam_unix.so Is - Used in /etc/pam.d/system-auth + Used in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*) replace: \1\2 - when: item != var_password_hashing_algorithm_pam + when: + - item != var_password_hashing_algorithm_pam + - pam_file_path_present.stat.exists loop: - sha512 - yescrypt @@ -8704,37 +9193,8 @@ - no_reboot_needed - set_password_hashing_algorithm_systemauth -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83627-0 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-09-411050 - - NIST-800-171-3.5.6 - - NIST-800-53-AC-2(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-4(e) - - PCI-DSS-Req-8.1.4 - - PCI-DSSv4-8.2 - - PCI-DSSv4-8.2.6 - - account_disable_post_pw_expiration - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_411050 | bool - - account_disable_post_pw_expiration | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set Account Expiration Following Inactivity - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/default/useradd regexp: ^INACTIVE @@ -8766,37 +9226,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83606-4 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-09-411010 - - NIST-800-171-3.5.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.4 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.9 - - accounts_maximum_age_login_defs - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_411010 | bool - - accounts_maximum_age_login_defs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set Password Maximum Age - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS @@ -8828,34 +9259,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83610-6 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-09-611075 - - NIST-800-171-3.5.8 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - accounts_minimum_age_login_defs - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611075 | bool - - accounts_minimum_age_login_defs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set Password Minimum Age - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS @@ -8941,7 +9346,8 @@ - restrict_strategy - name: Collect users with not correct minimum time period between password changes - command: 'awk -F'':'' ''(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}'' /etc/shadow + ansible.builtin.command: 'awk -F'':'' ''(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) + {print $1}'' /etc/shadow ' register: user_names @@ -8967,7 +9373,7 @@ - restrict_strategy | bool - name: Change the minimum time period between password changes - command: 'chage -m {{ var_accounts_minimum_age_login_defs }} {{ item }} + ansible.builtin.command: 'chage -m {{ var_accounts_minimum_age_login_defs }} {{ item }} ' with_items: '{{ user_names.stdout_lines }}' @@ -9045,34 +9451,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83609-8 - - NIST-800-171-3.5.8 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.4 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.9 - - accounts_password_warn_age_login_defs - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - accounts_password_warn_age_login_defs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set Password Warning Age - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^PASS_WARN_AGE *[0-9]* state: present @@ -9158,36 +9538,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83611-4 - - CJIS-5.5.2 - - DISA-STIG-RHEL-09-611025 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.1 - - configure_strategy - - high_severity - - low_complexity - - medium_disruption - - no_empty_passwords - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_611025 | bool - - configure_strategy | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_empty_passwords | bool - - no_reboot_needed | bool - - name: Prevent Login to Accounts With Empty Password - Check if system relies on authselect ansible.builtin.stat: path: /usr/bin/authselect @@ -9227,11 +9577,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false + check_mode: false failed_when: false - name: Prevent Login to Accounts With Empty Password - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd.rc == 0 + - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -9245,6 +9596,7 @@ cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false + check_mode: false when: - result_authselect_check_cmd is success - name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok" feature is enabled using authselect tool @@ -9325,33 +9677,8 @@ - no_empty_passwords - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85972-8 - - DISA-STIG-RHEL-09-611155 - - NIST-800-53-CM-6(b) - - NIST-800-53-CM-6.1(iv) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.2 - - high_severity - - low_complexity - - low_disruption - - no_empty_passwords_etc_shadow - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_611155 | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_empty_passwords_etc_shadow | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Collect users with no password - command: 'awk -F: ''!$2 {print $1}'' /etc/shadow + ansible.builtin.command: 'awk -F: ''!$2 {print $1}'' /etc/shadow ' register: users_nopasswd @@ -9380,7 +9707,7 @@ - restrict_strategy - name: Lock users with no password - command: 'passwd -l {{ item }} + ansible.builtin.command: 'passwd -l {{ item }} ' with_items: '{{ users_nopasswd.stdout_lines }}' @@ -9409,7 +9736,7 @@ - restrict_strategy - name: Get all /etc/passwd file entries - getent: + ansible.builtin.getent: database: passwd split: ':' tags: @@ -9439,7 +9766,7 @@ - restrict_strategy | bool - name: Lock the password of the user accounts other than root with uid 0 - command: passwd -l {{ item.key }} + ansible.builtin.command: passwd -l {{ item.key }} loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'') | list }}' when: - DISA_STIG_RHEL_09_411100 | bool @@ -9468,27 +9795,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86072-6 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - ensure_pam_wheel_group_empty - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - ensure_pam_wheel_group_empty | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty - Ensure {{ var_pam_wheel_group_for_su }} Group Exists ansible.builtin.group: @@ -9700,27 +10006,6 @@ - no_shelllogin_for_systemaccounts - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86065-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - use_pam_wheel_group_for_su - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - use_pam_wheel_group_for_su | bool - - name: Enforce Usage of pam_wheel with Group Parameter for su Authentication - Add the group to the /etc/pam.d/su file ansible.builtin.lineinfile: path: /etc/pam.d/su @@ -9746,36 +10031,8 @@ - restrict_strategy - use_pam_wheel_group_for_su -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83633-8 - - DISA-STIG-RHEL-09-412035 - - NIST-800-171-3.1.11 - - NIST-800-53-AC-12 - - NIST-800-53-AC-2(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-10 - - PCI-DSSv4-8.6 - - PCI-DSSv4-8.6.1 - - accounts_tmout - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_412035 | bool - - accounts_tmout | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Correct any occurrence of TMOUT in /etc/profile - replace: + ansible.builtin.replace: path: /etc/profile regexp: ^[^#].*TMOUT=.* replace: typeset -xr TMOUT={{ var_accounts_tmout }} @@ -9807,7 +10064,7 @@ - restrict_strategy - name: Set Interactive Session Timeout - lineinfile: + ansible.builtin.lineinfile: path: /etc/profile.d/tmout.sh create: true regexp: TMOUT= @@ -9841,8 +10098,10 @@ - name: Ensure interactive local users are the group-owners of their respective initialization files ansible.builtin.shell: - cmd: 'awk -F: ''{if ($4 >= 1000 && $4 != 65534) print $4":"$6}'' /etc/passwd | while IFS=: read -r gid home; do find -P - "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chgrp -f --no-dereference -- $gid "{}" \;; done' + cmd: ' + + awk -F: ''{if ($4 >= 1000 && $4 != 65534) print $4":"$6}'' /etc/passwd | while IFS=: read -r gid home; do find -P "$home" + -maxdepth 1 -type f -name "\.[^.]*" -exec chgrp -f --no-dereference -- $gid "{}" \;; done' tags: - CCE-87037-8 - accounts_user_dot_group_ownership @@ -9860,7 +10119,7 @@ - restrict_strategy | bool - name: User Initialization Files Must Not Run World-Writable Programs - Initialize variables - set_fact: + ansible.builtin.set_fact: home_user_dirs: [] world_writable_files: [] tags: @@ -9904,7 +10163,7 @@ - restrict_strategy | bool - name: User Initialization Files Must Not Run World-Writable Programs - Fill home_user_dirs - set_fact: + ansible.builtin.set_fact: home_user_dirs: '{{ home_user_dirs + [item.data[4]] }}' when: - DISA_STIG_RHEL_09_411115 | bool @@ -10076,8 +10335,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - item.value[2]|int >= 1000 - - item.value[2]|int != 65534 + - item.value[1]|int >= 1000 + - item.value[1]|int != 65534 tags: - CCE-83639-5 - DISA-STIG-RHEL-09-411065 @@ -10251,7 +10510,7 @@ - restrict_strategy - name: Get root paths which are not symbolic links - stat: + ansible.builtin.stat: path: '{{ item }}' changed_when: false failed_when: false @@ -10276,7 +10535,7 @@ - restrict_strategy | bool - name: Disable writability to root directories - file: + ansible.builtin.file: path: '{{ item.item }}' mode: g-w,o-w with_items: '{{ root_paths.results }}' @@ -10301,29 +10560,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83644-5 - - DISA-STIG-RHEL-09-412055 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - accounts_umask_etc_bashrc - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_412055 | bool - - accounts_umask_etc_bashrc | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Check if umask in /etc/bashrc is already set ansible.builtin.lineinfile: path: /etc/bashrc @@ -10407,29 +10643,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83647-8 - - DISA-STIG-RHEL-09-412065 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - accounts_umask_etc_login_defs - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_412065 | bool - - accounts_umask_etc_login_defs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Check if UMASK is already set ansible.builtin.lineinfile: path: /etc/login.defs @@ -10625,36 +10838,8 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83848-2 - - CJIS-5.5.2.2 - - DISA-STIG-RHEL-09-212025 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_grub2_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_212025 | bool - - configure_strategy | bool - - file_groupowner_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_grub2_cfg_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_grub2_cfg_newgroup: '0' when: - DISA_STIG_RHEL_09_212025 | bool @@ -10664,10 +10849,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83848-2 - CJIS-5.5.2.2 @@ -10686,7 +10869,7 @@ - no_reboot_needed - name: Test for existence /boot/grub2/grub.cfg - stat: + ansible.builtin.stat: path: /boot/grub2/grub.cfg register: file_exists when: @@ -10697,10 +10880,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83848-2 - CJIS-5.5.2.2 @@ -10719,8 +10900,9 @@ - no_reboot_needed - name: Ensure group owner on /boot/grub2/grub.cfg - file: + ansible.builtin.file: path: /boot/grub2/grub.cfg + follow: false group: '{{ file_groupowner_grub2_cfg_newgroup }}' when: - DISA_STIG_RHEL_09_212025 | bool @@ -10730,10 +10912,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83848-2 @@ -10752,34 +10932,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86010-6 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_groupowner_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_user_cfg_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_user_cfg_newgroup: '0' when: - configure_strategy | bool @@ -10788,10 +10942,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86010-6 - CJIS-5.5.2.2 @@ -10809,7 +10961,7 @@ - no_reboot_needed - name: Test for existence /boot/grub2/user.cfg - stat: + ansible.builtin.stat: path: /boot/grub2/user.cfg register: file_exists when: @@ -10819,10 +10971,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86010-6 - CJIS-5.5.2.2 @@ -10840,8 +10990,9 @@ - no_reboot_needed - name: Ensure group owner on /boot/grub2/user.cfg - file: + ansible.builtin.file: path: /boot/grub2/user.cfg + follow: false group: '{{ file_groupowner_user_cfg_newgroup }}' when: - configure_strategy | bool @@ -10850,10 +11001,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86010-6 @@ -10871,36 +11020,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83845-8 - - CJIS-5.5.2.2 - - DISA-STIG-RHEL-09-212030 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_grub2_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_212030 | bool - - configure_strategy | bool - - file_owner_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_grub2_cfg_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_grub2_cfg_newown: '0' when: - DISA_STIG_RHEL_09_212030 | bool @@ -10910,10 +11031,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83845-8 - CJIS-5.5.2.2 @@ -10932,7 +11051,7 @@ - no_reboot_needed - name: Test for existence /boot/grub2/grub.cfg - stat: + ansible.builtin.stat: path: /boot/grub2/grub.cfg register: file_exists when: @@ -10943,10 +11062,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83845-8 - CJIS-5.5.2.2 @@ -10965,8 +11082,9 @@ - no_reboot_needed - name: Ensure owner on /boot/grub2/grub.cfg - file: + ansible.builtin.file: path: /boot/grub2/grub.cfg + follow: false owner: '{{ file_owner_grub2_cfg_newown }}' when: - DISA_STIG_RHEL_09_212030 | bool @@ -10976,10 +11094,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83845-8 @@ -10998,34 +11114,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86016-3 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_owner_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_user_cfg_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_user_cfg_newown: '0' when: - configure_strategy | bool @@ -11034,10 +11124,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86016-3 - CJIS-5.5.2.2 @@ -11055,7 +11143,7 @@ - no_reboot_needed - name: Test for existence /boot/grub2/user.cfg - stat: + ansible.builtin.stat: path: /boot/grub2/user.cfg register: file_exists when: @@ -11065,10 +11153,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86016-3 - CJIS-5.5.2.2 @@ -11086,8 +11172,9 @@ - no_reboot_needed - name: Ensure owner on /boot/grub2/user.cfg - file: + ansible.builtin.file: path: /boot/grub2/user.cfg + follow: false owner: '{{ file_owner_user_cfg_newown }}' when: - configure_strategy | bool @@ -11096,10 +11183,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86016-3 @@ -11117,32 +11202,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83846-6 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_grub2_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Test for existence /boot/grub2/grub.cfg - stat: + ansible.builtin.stat: path: /boot/grub2/grub.cfg register: file_exists when: @@ -11152,10 +11213,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83846-6 - NIST-800-171-3.4.5 @@ -11171,7 +11230,7 @@ - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/grub.cfg - file: + ansible.builtin.file: path: /boot/grub2/grub.cfg mode: u-xs,g-xwrs,o-xwrt when: @@ -11181,10 +11240,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83846-6 @@ -11200,32 +11257,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86025-4 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Test for existence /boot/grub2/user.cfg - stat: + ansible.builtin.stat: path: /boot/grub2/user.cfg register: file_exists when: @@ -11235,10 +11268,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86025-4 - NIST-800-171-3.4.5 @@ -11254,7 +11285,7 @@ - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/user.cfg - file: + ansible.builtin.file: path: /boot/grub2/user.cfg mode: u-xs,g-xwrs,o-xwrt when: @@ -11264,10 +11295,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) + - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86025-4 @@ -11283,31 +11312,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83834-2 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.1 - - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.2 - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - rsyslog_files_groupownership - when: - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - rsyslog_files_groupownership | bool - - name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf @@ -11600,31 +11604,6 @@ - no_reboot_needed - rsyslog_files_groupownership -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83946-4 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.1 - - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.2 - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - rsyslog_files_ownership - when: - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - rsyslog_files_ownership | bool - - name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf @@ -11917,31 +11896,6 @@ - no_reboot_needed - rsyslog_files_ownership -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83689-0 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.1 - - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.1 - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - rsyslog_files_permissions - when: - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - rsyslog_files_permissions | bool - - name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf @@ -12234,120 +12188,6 @@ - no_reboot_needed - rsyslog_files_permissions -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86760-6 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_systemd-journal-remote_installed - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_systemd_journal_remote_installed | bool - -- name: Ensure systemd-journal-remote is installed - package: - name: systemd-journal-remote - state: present - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_systemd_journal_remote_installed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86760-6 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_systemd-journal-remote_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85941-3 - - DISA-STIG-RHEL-09-211040 - - NIST-800-53-SC-24 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_systemd-journald_enabled - when: - - DISA_STIG_RHEL_09_211040 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_systemd_journald_enabled | bool - -- name: Enable systemd-journald Service - Enable service systemd-journald - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable systemd-journald Service - Enable Service systemd-journald - ansible.builtin.systemd: - name: systemd-journald - enabled: true - state: started - masked: false - when: - - '"systemd" in ansible_facts.packages' - when: - - DISA_STIG_RHEL_09_211040 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_systemd_journald_enabled | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-85941-3 - - DISA-STIG-RHEL-09-211040 - - NIST-800-53-SC-24 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_systemd-journald_enabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85931-4 - - journald_compress - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - journald_compress | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure journald is configured to compress large log files - Search for a section in files ansible.builtin.find: paths: '{{item.path}}' @@ -12454,25 +12294,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86046-0 - - journald_storage - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - journald_storage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure journald is configured to write log files to persistent disk - Search for a section in files ansible.builtin.find: paths: '{{item.path}}' @@ -12580,24 +12401,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87606-0 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - socket_systemd-journal-remote_disabled - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present in the System ansible.builtin.command: cmd: systemctl -q list-unit-files --type socket @@ -12642,196 +12445,6 @@ - no_reboot_needed - socket_systemd-journal-remote_disabled -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84021-5 - - DISA-STIG-RHEL-09-251010 - - NIST-800-53-CM-6(a) - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_firewalld_installed - when: - - DISA_STIG_RHEL_09_251010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_firewalld_installed | bool - -- name: Ensure firewalld is installed - package: - name: firewalld - state: present - when: - - DISA_STIG_RHEL_09_251010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_firewalld_installed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84021-5 - - DISA-STIG-RHEL-09-251010 - - NIST-800-53-CM-6(a) - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_firewalld_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90833-5 - - DISA-STIG-RHEL-09-251015 - - NIST-800-171-3.1.3 - - NIST-800-171-3.4.7 - - NIST-800-53-AC-4 - - NIST-800-53-CA-3(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(21) - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_firewalld_enabled - when: - - DISA_STIG_RHEL_09_251015 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_firewalld_enabled | bool - -- name: Verify firewalld Enabled - Enable service firewalld - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Verify firewalld Enabled - Enable Service firewalld - ansible.builtin.systemd: - name: firewalld - enabled: true - state: started - masked: false - when: - - '"firewalld" in ansible_facts.packages' - when: - - DISA_STIG_RHEL_09_251015 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_firewalld_enabled | bool - - '"kernel" in ansible_facts.packages' - - '"firewalld" in ansible_facts.packages' - tags: - - CCE-90833-5 - - DISA-STIG-RHEL-09-251015 - - NIST-800-171-3.1.3 - - NIST-800-171-3.4.7 - - NIST-800-53-AC-4 - - NIST-800-53-CA-3(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(21) - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_firewalld_enabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86137-7 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.1 - - configure_strategy - - firewalld_loopback_traffic_restricted - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - firewalld_loopback_traffic_restricted | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Package is Installed - ansible.builtin.package: - name: '{{ item }}' - state: present - with_items: - - firewalld - when: - - configure_strategy | bool - - firewalld_loopback_traffic_restricted | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86137-7 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.1 - - configure_strategy - - firewalld_loopback_traffic_restricted - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Configure Firewalld to Restrict Loopback Traffic - Collect Facts About System Services - ansible.builtin.service_facts: null - register: result_services_states - when: - - configure_strategy | bool - - firewalld_loopback_traffic_restricted | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86137-7 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.1 - - configure_strategy - - firewalld_loopback_traffic_restricted - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - name: Configure Firewalld to Restrict Loopback Traffic - Remediation is Applicable if firewalld Service is Running block: - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted Zone Restricts IPv4 Loopback Traffic @@ -12877,7 +12490,7 @@ - name: Configure Firewalld to Restrict Loopback Traffic - Informative Message Based on Service State ansible.builtin.assert: that: - - ansible_facts.services['firewalld.service'].state == 'running' + - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running' fail_msg: - firewalld service is not active. Remediation aborted! - This remediation could not be applied because it depends on firewalld service running. @@ -12903,74 +12516,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86116-1 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.1 - - configure_strategy - - firewalld_loopback_traffic_trusted - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - firewalld_loopback_traffic_trusted | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is Installed - ansible.builtin.package: - name: '{{ item }}' - state: present - with_items: - - firewalld - when: - - configure_strategy | bool - - firewalld_loopback_traffic_trusted | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86116-1 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.1 - - configure_strategy - - firewalld_loopback_traffic_trusted - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Configure Firewalld to Trust Loopback Traffic - Collect Facts About System Services - ansible.builtin.service_facts: null - register: result_services_states - when: - - configure_strategy | bool - - firewalld_loopback_traffic_trusted | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86116-1 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.1 - - configure_strategy - - firewalld_loopback_traffic_trusted - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - name: Configure Firewalld to Trust Loopback Traffic - Remediation is Applicable if firewalld Service is Running block: - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld trusted Zone Includes lo Interface @@ -13008,7 +12553,7 @@ - name: Configure Firewalld to Trust Loopback Traffic - Informative Message Based on Service State ansible.builtin.assert: that: - - ansible_facts.services['firewalld.service'].state == 'running' + - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running' fail_msg: - firewalld service is not active. Remediation aborted! - This remediation could not be applied because it depends on firewalld service running. @@ -13034,33 +12579,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84120-5 - - DISA-STIG-RHEL-09-254010 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_all_accept_ra - when: - - DISA_STIG_RHEL_09_254010 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_all_accept_ra | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13093,7 +12613,7 @@ - sysctl_net_ipv6_conf_all_accept_ra - name: Comment out any occurrences of net.ipv6.conf.all.accept_ra from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_ra replace: '#net.ipv6.conf.all.accept_ra' @@ -13122,7 +12642,7 @@ - sysctl_net_ipv6_conf_all_accept_ra - name: Ensure sysctl net.ipv6.conf.all.accept_ra is set - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.accept_ra value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}' sysctl_file: /etc/sysctl.conf @@ -13151,35 +12671,8 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_ra -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84125-4 - - DISA-STIG-RHEL-09-254015 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(b) - - NIST-800-53-CM-6.1(iv) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_all_accept_redirects - when: - - DISA_STIG_RHEL_09_254015 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_all_accept_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13214,7 +12707,7 @@ - sysctl_net_ipv6_conf_all_accept_redirects - name: Comment out any occurrences of net.ipv6.conf.all.accept_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_redirects replace: '#net.ipv6.conf.all.accept_redirects' @@ -13245,7 +12738,7 @@ - sysctl_net_ipv6_conf_all_accept_redirects - name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.accept_redirects value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf @@ -13276,33 +12769,8 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84131-2 - - DISA-STIG-RHEL-09-254020 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_all_accept_source_route - when: - - DISA_STIG_RHEL_09_254020 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_all_accept_source_route | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13335,7 +12803,7 @@ - sysctl_net_ipv6_conf_all_accept_source_route - name: Comment out any occurrences of net.ipv6.conf.all.accept_source_route from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_source_route replace: '#net.ipv6.conf.all.accept_source_route' @@ -13364,7 +12832,7 @@ - sysctl_net_ipv6_conf_all_accept_source_route - name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.accept_source_route value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf @@ -13393,34 +12861,8 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84114-8 - - DISA-STIG-RHEL-09-254025 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(b) - - NIST-800-53-CM-6.1(iv) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_all_forwarding - when: - - DISA_STIG_RHEL_09_254025 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_all_forwarding | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13454,7 +12896,7 @@ - sysctl_net_ipv6_conf_all_forwarding - name: Comment out any occurrences of net.ipv6.conf.all.forwarding from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.forwarding replace: '#net.ipv6.conf.all.forwarding' @@ -13484,7 +12926,7 @@ - sysctl_net_ipv6_conf_all_forwarding - name: Ensure sysctl net.ipv6.conf.all.forwarding is set - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding value: '{{ sysctl_net_ipv6_conf_all_forwarding_value }}' sysctl_file: /etc/sysctl.conf @@ -13514,33 +12956,8 @@ - reboot_required - sysctl_net_ipv6_conf_all_forwarding -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84124-7 - - DISA-STIG-RHEL-09-254030 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_default_accept_ra - when: - - DISA_STIG_RHEL_09_254030 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_default_accept_ra | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13573,7 +12990,7 @@ - sysctl_net_ipv6_conf_default_accept_ra - name: Comment out any occurrences of net.ipv6.conf.default.accept_ra from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_ra replace: '#net.ipv6.conf.default.accept_ra' @@ -13602,7 +13019,7 @@ - sysctl_net_ipv6_conf_default_accept_ra - name: Ensure sysctl net.ipv6.conf.default.accept_ra is set - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.default.accept_ra value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}' sysctl_file: /etc/sysctl.conf @@ -13631,33 +13048,8 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_ra -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84113-0 - - DISA-STIG-RHEL-09-254035 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_default_accept_redirects - when: - - DISA_STIG_RHEL_09_254035 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_default_accept_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13690,7 +13082,7 @@ - sysctl_net_ipv6_conf_default_accept_redirects - name: Comment out any occurrences of net.ipv6.conf.default.accept_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_redirects replace: '#net.ipv6.conf.default.accept_redirects' @@ -13719,7 +13111,7 @@ - sysctl_net_ipv6_conf_default_accept_redirects - name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.default.accept_redirects value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf @@ -13748,38 +13140,8 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84130-4 - - DISA-STIG-RHEL-09-254040 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(b) - - NIST-800-53-CM-6.1(iv) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-1.4.3 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.2 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_default_accept_source_route - when: - - DISA_STIG_RHEL_09_254040 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_default_accept_source_route | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13817,7 +13179,7 @@ - sysctl_net_ipv6_conf_default_accept_source_route - name: Comment out any occurrences of net.ipv6.conf.default.accept_source_route from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_source_route replace: '#net.ipv6.conf.default.accept_source_route' @@ -13851,7 +13213,7 @@ - sysctl_net_ipv6_conf_default_accept_source_route - name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.default.accept_source_route value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf @@ -13885,35 +13247,8 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84011-6 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-09-253015 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_redirects - when: - - DISA_STIG_RHEL_09_253015 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_all_accept_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -13948,7 +13283,7 @@ - sysctl_net_ipv4_conf_all_accept_redirects - name: Comment out any occurrences of net.ipv4.conf.all.accept_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.accept_redirects replace: '#net.ipv4.conf.all.accept_redirects' @@ -13979,7 +13314,7 @@ - sysctl_net_ipv4_conf_all_accept_redirects - name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_redirects value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf @@ -14010,35 +13345,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84001-7 - - DISA-STIG-RHEL-09-253020 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_source_route - when: - - DISA_STIG_RHEL_09_253020 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_all_accept_source_route | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14073,7 +13381,7 @@ - sysctl_net_ipv4_conf_all_accept_source_route - name: Comment out any occurrences of net.ipv4.conf.all.accept_source_route from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.accept_source_route replace: '#net.ipv4.conf.all.accept_source_route' @@ -14104,7 +13412,7 @@ - sysctl_net_ipv4_conf_all_accept_source_route - name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_source_route value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf @@ -14135,33 +13443,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84000-9 - - DISA-STIG-RHEL-09-253025 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5(3)(a) - - disable_strategy - - low_complexity - - medium_disruption - - reboot_required - - sysctl_net_ipv4_conf_all_log_martians - - unknown_severity - when: - - DISA_STIG_RHEL_09_253025 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_all_log_martians | bool - - unknown_severity | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14194,7 +13477,7 @@ - unknown_severity - name: Comment out any occurrences of net.ipv4.conf.all.log_martians from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.log_martians replace: '#net.ipv4.conf.all.log_martians' @@ -14223,7 +13506,7 @@ - unknown_severity - name: Ensure sysctl net.ipv4.conf.all.log_martians is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.log_martians value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}' sysctl_file: /etc/sysctl.conf @@ -14252,37 +13535,8 @@ - sysctl_net_ipv4_conf_all_log_martians - unknown_severity -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84008-2 - - DISA-STIG-RHEL-09-253035 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) - - PCI-DSS-Req-1.4.3 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_rp_filter - when: - - DISA_STIG_RHEL_09_253035 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_all_rp_filter | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14319,7 +13573,7 @@ - sysctl_net_ipv4_conf_all_rp_filter - name: Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.rp_filter replace: '#net.ipv4.conf.all.rp_filter' @@ -14352,7 +13606,7 @@ - sysctl_net_ipv4_conf_all_rp_filter - name: Ensure sysctl net.ipv4.conf.all.rp_filter is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.rp_filter value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}' sysctl_file: /etc/sysctl.conf @@ -14385,35 +13639,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_rp_filter -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84016-5 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) - - PCI-DSS-Req-1.4.3 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_secure_redirects - when: - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_all_secure_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14448,7 +13675,7 @@ - sysctl_net_ipv4_conf_all_secure_redirects - name: Comment out any occurrences of net.ipv4.conf.all.secure_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.secure_redirects replace: '#net.ipv4.conf.all.secure_redirects' @@ -14479,7 +13706,7 @@ - sysctl_net_ipv4_conf_all_secure_redirects - name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.secure_redirects value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}' sysctl_file: /etc/sysctl.conf @@ -14510,38 +13737,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84003-3 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-09-253040 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) - - PCI-DSS-Req-1.4.3 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_default_accept_redirects - when: - - DISA_STIG_RHEL_09_253040 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_default_accept_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14579,7 +13776,7 @@ - sysctl_net_ipv4_conf_default_accept_redirects - name: Comment out any occurrences of net.ipv4.conf.default.accept_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.accept_redirects replace: '#net.ipv4.conf.default.accept_redirects' @@ -14613,7 +13810,7 @@ - sysctl_net_ipv4_conf_default_accept_redirects - name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_redirects value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf @@ -14647,35 +13844,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84007-4 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-09-253045 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_default_accept_source_route - when: - - DISA_STIG_RHEL_09_253045 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_default_accept_source_route | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14710,7 +13880,7 @@ - sysctl_net_ipv4_conf_default_accept_source_route - name: Comment out any occurrences of net.ipv4.conf.default.accept_source_route from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.accept_source_route replace: '#net.ipv4.conf.default.accept_source_route' @@ -14741,7 +13911,7 @@ - sysctl_net_ipv4_conf_default_accept_source_route - name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_source_route value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf @@ -14772,33 +13942,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84014-0 - - DISA-STIG-RHEL-09-253030 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5(3)(a) - - disable_strategy - - low_complexity - - medium_disruption - - reboot_required - - sysctl_net_ipv4_conf_default_log_martians - - unknown_severity - when: - - DISA_STIG_RHEL_09_253030 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_default_log_martians | bool - - unknown_severity | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14831,7 +13976,7 @@ - unknown_severity - name: Comment out any occurrences of net.ipv4.conf.default.log_martians from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.log_martians replace: '#net.ipv4.conf.default.log_martians' @@ -14860,7 +14005,7 @@ - unknown_severity - name: Ensure sysctl net.ipv4.conf.default.log_martians is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.log_martians value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}' sysctl_file: /etc/sysctl.conf @@ -14889,34 +14034,8 @@ - sysctl_net_ipv4_conf_default_log_martians - unknown_severity -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84009-0 - - DISA-STIG-RHEL-09-253050 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_default_rp_filter - when: - - DISA_STIG_RHEL_09_253050 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_default_rp_filter | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -14950,7 +14069,7 @@ - sysctl_net_ipv4_conf_default_rp_filter - name: Comment out any occurrences of net.ipv4.conf.default.rp_filter from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.rp_filter replace: '#net.ipv4.conf.default.rp_filter' @@ -14980,7 +14099,7 @@ - sysctl_net_ipv4_conf_default_rp_filter - name: Ensure sysctl net.ipv4.conf.default.rp_filter is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.rp_filter value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}' sysctl_file: /etc/sysctl.conf @@ -15010,32 +14129,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_rp_filter -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84019-9 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_default_secure_redirects - when: - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_default_secure_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -15067,7 +14162,7 @@ - sysctl_net_ipv4_conf_default_secure_redirects - name: Comment out any occurrences of net.ipv4.conf.default.secure_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.secure_redirects replace: '#net.ipv4.conf.default.secure_redirects' @@ -15095,7 +14190,7 @@ - sysctl_net_ipv4_conf_default_secure_redirects - name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.secure_redirects value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}' sysctl_file: /etc/sysctl.conf @@ -15123,37 +14218,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84004-1 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-09-253055 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - PCI-DSS-Req-1.4.3 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.2 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - when: - - DISA_STIG_RHEL_09_253055 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -15190,7 +14256,7 @@ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - name: Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts replace: '#net.ipv4.icmp_echo_ignore_broadcasts' @@ -15223,7 +14289,7 @@ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' sysctl_file: /etc/sysctl.conf @@ -15256,36 +14322,8 @@ - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84015-7 - - DISA-STIG-RHEL-09-253060 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - PCI-DSS-Req-1.4.3 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.2 - - disable_strategy - - low_complexity - - medium_disruption - - reboot_required - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - unknown_severity - when: - - DISA_STIG_RHEL_09_253060 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - reboot_required | bool - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - - unknown_severity | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -15321,7 +14359,7 @@ - unknown_severity - name: Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses replace: '#net.ipv4.icmp_ignore_bogus_error_responses' @@ -15353,7 +14391,7 @@ - unknown_severity - name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}' sysctl_file: /etc/sysctl.conf @@ -15385,40 +14423,8 @@ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84006-6 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-09-253010 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5(1) - - NIST-800-53-SC-5(2) - - NIST-800-53-SC-5(3)(a) - - PCI-DSS-Req-1.4.1 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_tcp_syncookies - when: - - DISA_STIG_RHEL_09_253010 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_tcp_syncookies | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -15458,7 +14464,7 @@ - sysctl_net_ipv4_tcp_syncookies - name: Comment out any occurrences of net.ipv4.tcp_syncookies from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.tcp_syncookies replace: '#net.ipv4.tcp_syncookies' @@ -15494,7 +14500,7 @@ - sysctl_net_ipv4_tcp_syncookies - name: Ensure sysctl net.ipv4.tcp_syncookies is set - sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_syncookies value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}' sysctl_file: /etc/sysctl.conf @@ -15530,38 +14536,8 @@ - reboot_required - sysctl_net_ipv4_tcp_syncookies -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83997-7 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-09-253065 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.5 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_send_redirects - when: - - DISA_STIG_RHEL_09_253065 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_all_send_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -15599,7 +14575,7 @@ - sysctl_net_ipv4_conf_all_send_redirects - name: Comment out any occurrences of net.ipv4.conf.all.send_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.send_redirects replace: '#net.ipv4.conf.all.send_redirects' @@ -15633,7 +14609,7 @@ - sysctl_net_ipv4_conf_all_send_redirects - name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.send_redirects value: '0' sysctl_file: /etc/sysctl.conf @@ -15667,38 +14643,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_send_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83999-3 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-09-253070 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.5 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_default_send_redirects - when: - - DISA_STIG_RHEL_09_253070 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_default_send_redirects | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -15736,7 +14682,7 @@ - sysctl_net_ipv4_conf_default_send_redirects - name: Comment out any occurrences of net.ipv4.conf.default.send_redirects from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.send_redirects replace: '#net.ipv4.conf.default.send_redirects' @@ -15770,7 +14716,7 @@ - sysctl_net_ipv4_conf_default_send_redirects - name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.send_redirects value: '0' sysctl_file: /etc/sysctl.conf @@ -15804,37 +14750,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_send_redirects -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83998-5 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) - - PCI-DSS-Req-1.3.1 - - PCI-DSS-Req-1.3.2 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.3 - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_net_ipv4_ip_forward - when: - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_ip_forward | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -15871,7 +14788,7 @@ - sysctl_net_ipv4_ip_forward - name: Comment out any occurrences of net.ipv4.ip_forward from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.ip_forward replace: '#net.ipv4.ip_forward' @@ -15904,7 +14821,7 @@ - sysctl_net_ipv4_ip_forward - name: Ensure sysctl net.ipv4.ip_forward is set to 0 - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: '0' sysctl_file: /etc/sysctl.conf @@ -15937,206 +14854,8 @@ - reboot_required - sysctl_net_ipv4_ip_forward -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86378-7 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_nftables_installed - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_nftables_installed | bool - -- name: Ensure nftables is installed - package: - name: nftables - state: present - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_nftables_installed | bool - - ( "kernel" in ansible_facts.packages ) - tags: - - CCE-86378-7 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_nftables_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-88429-6 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_nftables_disabled - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_nftables_disabled | bool - -- name: Verify nftables Service is Disabled - Collect systemd Services Present in the System - ansible.builtin.command: systemctl -q list-unit-files --type service - register: service_exists - changed_when: false - failed_when: service_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_nftables_disabled | bool - - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages - ) - tags: - - CCE-88429-6 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_nftables_disabled - -- name: Verify nftables Service is Disabled - Ensure nftables.service is Masked - ansible.builtin.systemd: - name: nftables.service - state: stopped - enabled: false - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_nftables_disabled | bool - - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages - ) - - service_exists.stdout_lines is search("nftables.service", multiline=True) - tags: - - CCE-88429-6 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_nftables_disabled - -- name: Unit Socket Exists - nftables.socket - ansible.builtin.command: systemctl -q list-unit-files nftables.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_nftables_disabled | bool - - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages - ) - tags: - - CCE-88429-6 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_nftables_disabled - -- name: Verify nftables Service is Disabled - Disable Socket nftables - ansible.builtin.systemd: - name: nftables.socket - enabled: false - state: stopped - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_nftables_disabled | bool - - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages - ) - - socket_file_exists.stdout_lines is search("nftables.socket", multiline=True) - tags: - - CCE-88429-6 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.1 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_nftables_disabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84136-1 - - CJIS-5.10.1 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-1.4.2 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.2 - - disable_strategy - - kernel_module_dccp_disabled - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - when: - - disable_strategy | bool - - kernel_module_dccp_disabled | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - name: Ensure kernel module 'dccp' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/dccp.conf regexp: install\s+dccp @@ -16167,7 +14886,7 @@ - reboot_required - name: Ensure kernel module 'dccp' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/dccp.conf regexp: ^blacklist dccp$ @@ -16197,30 +14916,8 @@ - medium_severity - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84064-5 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_rds_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - disable_strategy | bool - - kernel_module_rds_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'rds' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/rds.conf regexp: install\s+rds @@ -16246,7 +14943,7 @@ - reboot_required - name: Ensure kernel module 'rds' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/rds.conf regexp: ^blacklist rds$ @@ -16271,37 +14968,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84139-5 - - CJIS-5.10.1 - - DISA-STIG-RHEL-09-213060 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-1.4.2 - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.2 - - disable_strategy - - kernel_module_sctp_disabled - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - when: - - DISA_STIG_RHEL_09_213060 | bool - - disable_strategy | bool - - kernel_module_sctp_disabled | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - name: Ensure kernel module 'sctp' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/sctp.conf regexp: install\s+sctp @@ -16334,7 +15002,7 @@ - reboot_required - name: Ensure kernel module 'sctp' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/sctp.conf regexp: ^blacklist sctp$ @@ -16366,32 +15034,8 @@ - medium_severity - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84065-2 - - DISA-STIG-RHEL-09-213065 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_tipc_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - DISA_STIG_RHEL_09_213065 | bool - - disable_strategy | bool - - kernel_module_tipc_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'tipc' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/tipc.conf regexp: install\s+tipc @@ -16419,7 +15063,7 @@ - reboot_required - name: Ensure kernel module 'tipc' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/tipc.conf regexp: ^blacklist tipc$ @@ -16446,253 +15090,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86761-4 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_bluetooth_disabled - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_bluetooth_disabled | bool - -- name: Disable Bluetooth Service - Collect systemd Services Present in the System - ansible.builtin.command: systemctl -q list-unit-files --type service - register: service_exists - changed_when: false - failed_when: service_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_bluetooth_disabled | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86761-4 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_bluetooth_disabled - -- name: Disable Bluetooth Service - Ensure bluetooth.service is Masked - ansible.builtin.systemd: - name: bluetooth.service - state: stopped - enabled: false - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_bluetooth_disabled | bool - - '"kernel" in ansible_facts.packages' - - service_exists.stdout_lines is search("bluetooth.service", multiline=True) - tags: - - CCE-86761-4 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_bluetooth_disabled - -- name: Unit Socket Exists - bluetooth.socket - ansible.builtin.command: systemctl -q list-unit-files bluetooth.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_bluetooth_disabled | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86761-4 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_bluetooth_disabled - -- name: Disable Bluetooth Service - Disable Socket bluetooth - ansible.builtin.systemd: - name: bluetooth.socket - enabled: false - state: stopped - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_bluetooth_disabled | bool - - '"kernel" in ansible_facts.packages' - - socket_file_exists.stdout_lines is search("bluetooth.socket", multiline=True) - tags: - - CCE-86761-4 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_bluetooth_disabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84066-0 - - DISA-STIG-RHEL-09-291040 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - PCI-DSS-Req-1.3.3 - - PCI-DSSv4-1.3 - - PCI-DSSv4-1.3.3 - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - - wireless_disable_interfaces - when: - - DISA_STIG_RHEL_09_291040 | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - wireless_disable_interfaces | bool - -- name: Service facts - ansible.builtin.service_facts: null - when: - - DISA_STIG_RHEL_09_291040 | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - wireless_disable_interfaces | bool - - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - tags: - - CCE-84066-0 - - DISA-STIG-RHEL-09-291040 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - PCI-DSS-Req-1.3.3 - - PCI-DSSv4-1.3 - - PCI-DSSv4-1.3.3 - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - - wireless_disable_interfaces - -- name: Ensure NetworkManager is installed - ansible.builtin.package: - name: '{{ item }}' - state: present - with_items: - - NetworkManager - when: - - DISA_STIG_RHEL_09_291040 | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - wireless_disable_interfaces | bool - - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - tags: - - CCE-84066-0 - - DISA-STIG-RHEL-09-291040 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - PCI-DSS-Req-1.3.3 - - PCI-DSSv4-1.3 - - PCI-DSSv4-1.3.3 - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - - wireless_disable_interfaces - - name: NetworkManager Deactivate Wireless Network Interfaces - command: nmcli radio wifi off + ansible.builtin.command: nmcli radio wifi off when: - DISA_STIG_RHEL_09_291040 | bool - low_complexity | bool @@ -17000,7 +15399,7 @@ - restrict_strategy | bool - name: Set the file_groupowner_backup_etc_group_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_backup_etc_group_newgroup: '0' tags: - CCE-83928-2 @@ -17025,7 +15424,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/group- - stat: + ansible.builtin.stat: path: /etc/group- register: file_exists tags: @@ -17051,8 +15450,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/group- - file: + ansible.builtin.file: path: /etc/group- + follow: false group: '{{ file_groupowner_backup_etc_group_newgroup }}' when: - DISA_STIG_RHEL_09_232105 | bool @@ -17078,7 +15478,7 @@ - no_reboot_needed - name: Set the file_groupowner_backup_etc_gshadow_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_backup_etc_gshadow_newgroup: '0' tags: - CCE-83951-4 @@ -17101,7 +15501,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/gshadow- - stat: + ansible.builtin.stat: path: /etc/gshadow- register: file_exists tags: @@ -17125,8 +15525,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/gshadow- - file: + ansible.builtin.file: path: /etc/gshadow- + follow: false group: '{{ file_groupowner_backup_etc_gshadow_newgroup }}' when: - DISA_STIG_RHEL_09_232125 | bool @@ -17150,7 +15551,7 @@ - no_reboot_needed - name: Set the file_groupowner_backup_etc_passwd_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_backup_etc_passwd_newgroup: '0' tags: - CCE-83933-2 @@ -17175,7 +15576,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/passwd- - stat: + ansible.builtin.stat: path: /etc/passwd- register: file_exists tags: @@ -17201,8 +15602,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/passwd- - file: + ansible.builtin.file: path: /etc/passwd- + follow: false group: '{{ file_groupowner_backup_etc_passwd_newgroup }}' when: - DISA_STIG_RHEL_09_232145 | bool @@ -17228,7 +15630,7 @@ - no_reboot_needed - name: Set the file_groupowner_backup_etc_shadow_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_backup_etc_shadow_newgroup: '0' tags: - CCE-83938-1 @@ -17252,7 +15654,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/shadow- - stat: + ansible.builtin.stat: path: /etc/shadow- register: file_exists tags: @@ -17277,8 +15679,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/shadow- - file: + ansible.builtin.file: path: /etc/shadow- + follow: false group: '{{ file_groupowner_backup_etc_shadow_newgroup }}' when: - DISA_STIG_RHEL_09_232165 | bool @@ -17303,7 +15706,7 @@ - no_reboot_needed - name: Set the file_groupowner_etc_group_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_group_newgroup: '0' tags: - CCE-83945-6 @@ -17330,7 +15733,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/group - stat: + ansible.builtin.stat: path: /etc/group register: file_exists tags: @@ -17358,8 +15761,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/group - file: + ansible.builtin.file: path: /etc/group + follow: false group: '{{ file_groupowner_etc_group_newgroup }}' when: - DISA_STIG_RHEL_09_232095 | bool @@ -17387,7 +15791,7 @@ - no_reboot_needed - name: Set the file_groupowner_etc_gshadow_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_gshadow_newgroup: '0' tags: - CCE-83948-0 @@ -17410,7 +15814,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/gshadow - stat: + ansible.builtin.stat: path: /etc/gshadow register: file_exists tags: @@ -17434,8 +15838,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/gshadow - file: + ansible.builtin.file: path: /etc/gshadow + follow: false group: '{{ file_groupowner_etc_gshadow_newgroup }}' when: - DISA_STIG_RHEL_09_232115 | bool @@ -17459,7 +15864,7 @@ - no_reboot_needed - name: Set the file_groupowner_etc_passwd_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_passwd_newgroup: '0' tags: - CCE-83950-6 @@ -17486,7 +15891,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/passwd - stat: + ansible.builtin.stat: path: /etc/passwd register: file_exists tags: @@ -17514,8 +15919,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/passwd - file: + ansible.builtin.file: path: /etc/passwd + follow: false group: '{{ file_groupowner_etc_passwd_newgroup }}' when: - DISA_STIG_RHEL_09_232135 | bool @@ -17543,7 +15949,7 @@ - no_reboot_needed - name: Set the file_groupowner_etc_shadow_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_shadow_newgroup: '0' tags: - CCE-83930-8 @@ -17570,7 +15976,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/shadow - stat: + ansible.builtin.stat: path: /etc/shadow register: file_exists tags: @@ -17598,8 +16004,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/shadow - file: + ansible.builtin.file: path: /etc/shadow + follow: false group: '{{ file_groupowner_etc_shadow_newgroup }}' when: - DISA_STIG_RHEL_09_232155 | bool @@ -17627,7 +16034,7 @@ - no_reboot_needed - name: Set the file_groupowner_etc_shells_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_etc_shells_newgroup: '0' tags: - CCE-90434-2 @@ -17648,7 +16055,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/shells - stat: + ansible.builtin.stat: path: /etc/shells register: file_exists tags: @@ -17670,8 +16077,9 @@ - no_reboot_needed | bool - name: Ensure group owner on /etc/shells - file: + ansible.builtin.file: path: /etc/shells + follow: false group: '{{ file_groupowner_etc_shells_newgroup }}' when: - configure_strategy | bool @@ -17693,7 +16101,7 @@ - no_reboot_needed - name: Set the file_owner_backup_etc_group_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_backup_etc_group_newown: '0' tags: - CCE-83944-9 @@ -17718,7 +16126,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/group- - stat: + ansible.builtin.stat: path: /etc/group- register: file_exists tags: @@ -17744,8 +16152,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/group- - file: + ansible.builtin.file: path: /etc/group- + follow: false owner: '{{ file_owner_backup_etc_group_newown }}' when: - DISA_STIG_RHEL_09_232100 | bool @@ -17771,7 +16180,7 @@ - no_reboot_needed - name: Set the file_owner_backup_etc_gshadow_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_backup_etc_gshadow_newown: '0' tags: - CCE-83929-0 @@ -17794,7 +16203,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/gshadow- - stat: + ansible.builtin.stat: path: /etc/gshadow- register: file_exists tags: @@ -17818,8 +16227,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/gshadow- - file: + ansible.builtin.file: path: /etc/gshadow- + follow: false owner: '{{ file_owner_backup_etc_gshadow_newown }}' when: - DISA_STIG_RHEL_09_232120 | bool @@ -17843,7 +16253,7 @@ - no_reboot_needed - name: Set the file_owner_backup_etc_passwd_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_backup_etc_passwd_newown: '0' tags: - CCE-83947-2 @@ -17868,7 +16278,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/passwd- - stat: + ansible.builtin.stat: path: /etc/passwd- register: file_exists tags: @@ -17894,8 +16304,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/passwd- - file: + ansible.builtin.file: path: /etc/passwd- + follow: false owner: '{{ file_owner_backup_etc_passwd_newown }}' when: - DISA_STIG_RHEL_09_232140 | bool @@ -17921,7 +16332,7 @@ - no_reboot_needed - name: Set the file_owner_backup_etc_shadow_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_backup_etc_shadow_newown: '0' tags: - CCE-83949-8 @@ -17946,7 +16357,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/shadow- - stat: + ansible.builtin.stat: path: /etc/shadow- register: file_exists tags: @@ -17972,8 +16383,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/shadow- - file: + ansible.builtin.file: path: /etc/shadow- + follow: false owner: '{{ file_owner_backup_etc_shadow_newown }}' when: - DISA_STIG_RHEL_09_232160 | bool @@ -17999,7 +16411,7 @@ - no_reboot_needed - name: Set the file_owner_etc_group_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_group_newown: '0' tags: - CCE-83925-8 @@ -18026,7 +16438,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/group - stat: + ansible.builtin.stat: path: /etc/group register: file_exists tags: @@ -18054,8 +16466,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/group - file: + ansible.builtin.file: path: /etc/group + follow: false owner: '{{ file_owner_etc_group_newown }}' when: - DISA_STIG_RHEL_09_232090 | bool @@ -18083,7 +16496,7 @@ - no_reboot_needed - name: Set the file_owner_etc_gshadow_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_gshadow_newown: '0' tags: - CCE-83924-1 @@ -18106,7 +16519,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/gshadow - stat: + ansible.builtin.stat: path: /etc/gshadow register: file_exists tags: @@ -18130,8 +16543,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/gshadow - file: + ansible.builtin.file: path: /etc/gshadow + follow: false owner: '{{ file_owner_etc_gshadow_newown }}' when: - DISA_STIG_RHEL_09_232110 | bool @@ -18155,7 +16569,7 @@ - no_reboot_needed - name: Set the file_owner_etc_passwd_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_passwd_newown: '0' tags: - CCE-83943-1 @@ -18182,7 +16596,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/passwd - stat: + ansible.builtin.stat: path: /etc/passwd register: file_exists tags: @@ -18210,8 +16624,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/passwd - file: + ansible.builtin.file: path: /etc/passwd + follow: false owner: '{{ file_owner_etc_passwd_newown }}' when: - DISA_STIG_RHEL_09_232130 | bool @@ -18239,7 +16654,7 @@ - no_reboot_needed - name: Set the file_owner_etc_shadow_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_shadow_newown: '0' tags: - CCE-83926-6 @@ -18266,7 +16681,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/shadow - stat: + ansible.builtin.stat: path: /etc/shadow register: file_exists tags: @@ -18294,8 +16709,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/shadow - file: + ansible.builtin.file: path: /etc/shadow + follow: false owner: '{{ file_owner_etc_shadow_newown }}' when: - DISA_STIG_RHEL_09_232150 | bool @@ -18323,7 +16739,7 @@ - no_reboot_needed - name: Set the file_owner_etc_shells_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_etc_shells_newown: '0' tags: - CCE-90435-9 @@ -18344,7 +16760,7 @@ - no_reboot_needed | bool - name: Test for existence /etc/shells - stat: + ansible.builtin.stat: path: /etc/shells register: file_exists tags: @@ -18366,8 +16782,9 @@ - no_reboot_needed | bool - name: Ensure owner on /etc/shells - file: + ansible.builtin.file: path: /etc/shells + follow: false owner: '{{ file_owner_etc_shells_newown }}' when: - configure_strategy | bool @@ -18389,7 +16806,7 @@ - no_reboot_needed - name: Test for existence /etc/group- - stat: + ansible.builtin.stat: path: /etc/group- register: file_exists tags: @@ -18415,7 +16832,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/group- - file: + ansible.builtin.file: path: /etc/group- mode: u-xs,g-xws,o-xwt when: @@ -18442,7 +16859,7 @@ - no_reboot_needed - name: Test for existence /etc/gshadow- - stat: + ansible.builtin.stat: path: /etc/gshadow- register: file_exists tags: @@ -18465,7 +16882,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow- - file: + ansible.builtin.file: path: /etc/gshadow- mode: u-xwrs,g-xwrs,o-xwrt when: @@ -18489,7 +16906,7 @@ - no_reboot_needed - name: Test for existence /etc/passwd- - stat: + ansible.builtin.stat: path: /etc/passwd- register: file_exists tags: @@ -18515,7 +16932,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd- - file: + ansible.builtin.file: path: /etc/passwd- mode: u-xs,g-xws,o-xwt when: @@ -18542,7 +16959,7 @@ - no_reboot_needed - name: Test for existence /etc/shadow- - stat: + ansible.builtin.stat: path: /etc/shadow- register: file_exists tags: @@ -18568,7 +16985,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow- - file: + ansible.builtin.file: path: /etc/shadow- mode: u-xwrs,g-xwrs,o-xwrt when: @@ -18595,7 +17012,7 @@ - no_reboot_needed - name: Test for existence /etc/group - stat: + ansible.builtin.stat: path: /etc/group register: file_exists tags: @@ -18623,7 +17040,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/group - file: + ansible.builtin.file: path: /etc/group mode: u-xs,g-xws,o-xwt when: @@ -18652,7 +17069,7 @@ - no_reboot_needed - name: Test for existence /etc/gshadow - stat: + ansible.builtin.stat: path: /etc/gshadow register: file_exists tags: @@ -18676,7 +17093,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow - file: + ansible.builtin.file: path: /etc/gshadow mode: u-xwrs,g-xwrs,o-xwrt when: @@ -18701,7 +17118,7 @@ - no_reboot_needed - name: Test for existence /etc/passwd - stat: + ansible.builtin.stat: path: /etc/passwd register: file_exists tags: @@ -18729,7 +17146,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd - file: + ansible.builtin.file: path: /etc/passwd mode: u-xs,g-xws,o-xwt when: @@ -18758,7 +17175,7 @@ - no_reboot_needed - name: Test for existence /etc/shadow - stat: + ansible.builtin.stat: path: /etc/shadow register: file_exists tags: @@ -18786,7 +17203,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow - file: + ansible.builtin.file: path: /etc/shadow mode: u-xwrs,g-xwrs,o-xwrt when: @@ -18815,7 +17232,7 @@ - no_reboot_needed - name: Test for existence /etc/shells - stat: + ansible.builtin.stat: path: /etc/shells register: file_exists tags: @@ -18837,7 +17254,7 @@ - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/shells - file: + ansible.builtin.file: path: /etc/shells mode: u-xs,g-xws,o-xwt when: @@ -18859,181 +17276,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83850-8 - - DISA-STIG-RHEL-09-231040 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_autofs_disabled - when: - - DISA_STIG_RHEL_09_231040 | bool - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_autofs_disabled | bool - -- name: Disable the Automounter - Collect systemd Services Present in the System - ansible.builtin.command: systemctl -q list-unit-files --type service - register: service_exists - changed_when: false - failed_when: service_exists.rc not in [0, 1] - check_mode: false - when: - - DISA_STIG_RHEL_09_231040 | bool - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_autofs_disabled | bool - - ( "autofs" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - tags: - - CCE-83850-8 - - DISA-STIG-RHEL-09-231040 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_autofs_disabled - -- name: Disable the Automounter - Ensure autofs.service is Masked - ansible.builtin.systemd: - name: autofs.service - state: stopped - enabled: false - masked: true - when: - - DISA_STIG_RHEL_09_231040 | bool - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_autofs_disabled | bool - - ( "autofs" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - service_exists.stdout_lines is search("autofs.service", multiline=True) - tags: - - CCE-83850-8 - - DISA-STIG-RHEL-09-231040 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_autofs_disabled - -- name: Unit Socket Exists - autofs.socket - ansible.builtin.command: systemctl -q list-unit-files autofs.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: - - DISA_STIG_RHEL_09_231040 | bool - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_autofs_disabled | bool - - ( "autofs" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - tags: - - CCE-83850-8 - - DISA-STIG-RHEL-09-231040 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_autofs_disabled - -- name: Disable the Automounter - Disable Socket autofs - ansible.builtin.systemd: - name: autofs.socket - enabled: false - state: stopped - masked: true - when: - - DISA_STIG_RHEL_09_231040 | bool - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_autofs_disabled | bool - - ( "autofs" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - socket_file_exists.stdout_lines is search("autofs.socket", multiline=True) - tags: - - CCE-83850-8 - - DISA-STIG-RHEL-09-231040 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_autofs_disabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83853-2 - - DISA-STIG-RHEL-09-231195 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_cramfs_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - DISA_STIG_RHEL_09_231195 | bool - - disable_strategy | bool - - kernel_module_cramfs_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'cramfs' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/cramfs.conf regexp: install\s+cramfs @@ -19062,7 +17306,7 @@ - reboot_required - name: Ensure kernel module 'cramfs' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/cramfs.conf regexp: ^blacklist cramfs$ @@ -19090,31 +17334,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86763-0 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_freevxfs_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - disable_strategy | bool - - kernel_module_freevxfs_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'freevxfs' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/freevxfs.conf regexp: install\s+freevxfs @@ -19141,7 +17362,7 @@ - reboot_required - name: Ensure kernel module 'freevxfs' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/freevxfs.conf regexp: ^blacklist freevxfs$ @@ -19167,31 +17388,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86764-8 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_hfs_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - disable_strategy | bool - - kernel_module_hfs_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'hfs' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfs.conf regexp: install\s+hfs @@ -19218,7 +17416,7 @@ - reboot_required - name: Ensure kernel module 'hfs' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfs.conf regexp: ^blacklist hfs$ @@ -19244,31 +17442,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86765-5 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_hfsplus_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - disable_strategy | bool - - kernel_module_hfsplus_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'hfsplus' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfsplus.conf regexp: install\s+hfsplus @@ -19295,7 +17470,7 @@ - reboot_required - name: Ensure kernel module 'hfsplus' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfsplus.conf regexp: ^blacklist hfsplus$ @@ -19321,31 +17496,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86766-3 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_jffs2_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - disable_strategy | bool - - kernel_module_jffs2_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'jffs2' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/jffs2.conf regexp: install\s+jffs2 @@ -19372,7 +17524,7 @@ - reboot_required - name: Ensure kernel module 'jffs2' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/jffs2.conf regexp: ^blacklist jffs2$ @@ -19398,31 +17550,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83855-7 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_squashfs_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - disable_strategy | bool - - kernel_module_squashfs_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'squashfs' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/squashfs.conf regexp: install\s+squashfs @@ -19449,7 +17578,7 @@ - reboot_required - name: Ensure kernel module 'squashfs' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/squashfs.conf regexp: ^blacklist squashfs$ @@ -19475,31 +17604,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83852-4 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_udf_disabled - - low_complexity - - low_severity - - medium_disruption - - reboot_required - when: - - disable_strategy | bool - - kernel_module_udf_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - name: Ensure kernel module 'udf' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/udf.conf regexp: install\s+udf @@ -19526,7 +17632,7 @@ - reboot_required - name: Ensure kernel module 'udf' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/udf.conf regexp: ^blacklist udf$ @@ -19552,35 +17658,8 @@ - medium_disruption - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83851-6 - - DISA-STIG-RHEL-09-291010 - - NIST-800-171-3.1.21 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - PCI-DSSv4-3.4 - - PCI-DSSv4-3.4.2 - - disable_strategy - - kernel_module_usb-storage_disabled - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - when: - - DISA_STIG_RHEL_09_291010 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - name: Ensure kernel module 'usb-storage' is disabled - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/usb-storage.conf regexp: install\s+usb-storage @@ -19611,7 +17690,7 @@ - reboot_required - name: Ensure kernel module 'usb-storage' is blacklisted - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/usb-storage.conf regexp: ^blacklist usb-storage$ @@ -19641,33 +17720,6 @@ - medium_severity - reboot_required -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83881-3 - - DISA-STIG-RHEL-09-231110 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_dev_shm_nodev - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231110 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_dev_shm_nodev | bool - - no_reboot_needed | bool - - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -19844,33 +17896,6 @@ - mount_option_dev_shm_nodev - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83857-3 - - DISA-STIG-RHEL-09-231115 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_dev_shm_noexec - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231115 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_dev_shm_noexec | bool - - no_reboot_needed | bool - - name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -20047,33 +18072,6 @@ - mount_option_dev_shm_noexec - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83891-2 - - DISA-STIG-RHEL-09-231120 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_dev_shm_nosuid - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231120 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_dev_shm_nosuid | bool - - no_reboot_needed | bool - - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name @@ -20250,27 +18248,6 @@ - mount_option_dev_shm_nosuid - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83871-4 - - DISA-STIG-RHEL-09-231045 - - configure_strategy - - high_disruption - - low_complexity - - mount_option_home_nodev - - no_reboot_needed - - unknown_severity - when: - - DISA_STIG_RHEL_09_231045 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - mount_option_home_nodev | bool - - no_reboot_needed | bool - - unknown_severity | bool - - name: 'Add nodev Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name @@ -20422,33 +18399,6 @@ - no_reboot_needed - unknown_severity -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83894-6 - - DISA-STIG-RHEL-09-231050 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_nosuid - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231050 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_nosuid | bool - - no_reboot_needed | bool - - name: 'Add nosuid Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name @@ -20630,33 +18580,6 @@ - mount_option_home_nosuid - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83869-8 - - DISA-STIG-RHEL-09-231125 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_tmp_nodev - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231125 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_nodev | bool - - no_reboot_needed | bool - - name: 'Add nodev Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' register: device_name @@ -20838,33 +18761,6 @@ - mount_option_tmp_nodev - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83885-4 - - DISA-STIG-RHEL-09-231130 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_tmp_noexec - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231130 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_noexec | bool - - no_reboot_needed | bool - - name: 'Add noexec Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' register: device_name @@ -21046,33 +18942,6 @@ - mount_option_tmp_noexec - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83872-2 - - DISA-STIG-RHEL-09-231135 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_tmp_nosuid - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231135 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_nosuid | bool - - no_reboot_needed | bool - - name: 'Add nosuid Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' register: device_name @@ -21254,33 +19123,6 @@ - mount_option_tmp_nosuid - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83882-1 - - DISA-STIG-RHEL-09-231160 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_audit_nodev - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231160 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_nodev | bool - - no_reboot_needed | bool - - name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' register: device_name @@ -21462,33 +19304,6 @@ - mount_option_var_log_audit_nodev - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83878-9 - - DISA-STIG-RHEL-09-231165 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_audit_noexec - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231165 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_noexec | bool - - no_reboot_needed | bool - - name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' register: device_name @@ -21670,33 +19485,6 @@ - mount_option_var_log_audit_noexec - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83893-8 - - DISA-STIG-RHEL-09-231170 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_audit_nosuid - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231170 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_nosuid | bool - - no_reboot_needed | bool - - name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' register: device_name @@ -21878,33 +19666,6 @@ - mount_option_var_log_audit_nosuid - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83886-2 - - DISA-STIG-RHEL-09-231145 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_nodev - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231145 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_nodev | bool - - no_reboot_needed | bool - - name: 'Add nodev Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' register: device_name @@ -22086,33 +19847,6 @@ - mount_option_var_log_nodev - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83887-0 - - DISA-STIG-RHEL-09-231150 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_noexec - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231150 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_noexec | bool - - no_reboot_needed | bool - - name: 'Add noexec Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' register: device_name @@ -22294,33 +20028,6 @@ - mount_option_var_log_noexec - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83870-6 - - DISA-STIG-RHEL-09-231155 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_nosuid - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231155 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_nosuid | bool - - no_reboot_needed | bool - - name: 'Add nosuid Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' register: device_name @@ -22502,33 +20209,6 @@ - mount_option_var_log_nosuid - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83868-0 - - DISA-STIG-RHEL-09-231140 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_nodev - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231140 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_nodev | bool - - no_reboot_needed | bool - - name: 'Add nodev Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' register: device_name @@ -22710,25 +20390,6 @@ - mount_option_var_nodev - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83867-2 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_nosuid - - no_reboot_needed - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_nosuid | bool - - no_reboot_needed | bool - - name: 'Add nosuid Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' register: device_name @@ -22870,27 +20531,6 @@ - mount_option_var_nosuid - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83864-9 - - DISA-STIG-RHEL-09-231175 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_tmp_nodev - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231175 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_tmp_nodev | bool - - no_reboot_needed | bool - - name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' register: device_name @@ -23042,27 +20682,6 @@ - mount_option_var_tmp_nodev - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83866-4 - - DISA-STIG-RHEL-09-231180 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_tmp_noexec - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231180 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_tmp_noexec | bool - - no_reboot_needed | bool - - name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' register: device_name @@ -23214,27 +20833,6 @@ - mount_option_var_tmp_noexec - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83863-1 - - DISA-STIG-RHEL-09-231185 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_tmp_nosuid - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_231185 | bool - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_tmp_nosuid | bool - - no_reboot_needed | bool - - name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' register: device_name @@ -23386,30 +20984,8 @@ - mount_option_var_tmp_nosuid - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83965-4 - - DISA-STIG-RHEL-09-213080 - - NIST-800-53-SC-7(10) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_kernel_yama_ptrace_scope - when: - - DISA_STIG_RHEL_09_213080 | bool - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_kernel_yama_ptrace_scope | bool - - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -23439,7 +21015,7 @@ - sysctl_kernel_yama_ptrace_scope - name: Comment out any occurrences of kernel.yama.ptrace_scope from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.yama.ptrace_scope replace: '#kernel.yama.ptrace_scope' @@ -23465,7 +21041,7 @@ - sysctl_kernel_yama_ptrace_scope - name: Ensure sysctl kernel.yama.ptrace_scope is set to 1 - sysctl: + ansible.posix.sysctl: name: kernel.yama.ptrace_scope value: '1' sysctl_file: /etc/sysctl.conf @@ -23491,9 +21067,28 @@ - reboot_required - sysctl_kernel_yama_ptrace_scope -- name: Gather the package facts - package_facts: - manager: auto +- name: Disable core dump backtraces - Search for a section in files + ansible.builtin.find: + paths: '{{item.path}}' + patterns: '{{item.pattern}}' + contains: ^\s*\[Coredump\] + read_whole_file: true + use_regex: true + register: systemd_dropin_files_with_section + loop: + - path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}' + pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}' + - path: /etc/systemd/coredump.conf.d + pattern: .*\.conf + when: + - DISA_STIG_RHEL_09_213085 | bool + - coredump_disable_backtraces | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"systemd" in ansible_facts.packages' tags: - CCE-83984-5 - DISA-STIG-RHEL-09-213085 @@ -23508,6 +21103,11 @@ - medium_severity - no_reboot_needed - restrict_strategy + +- name: Disable core dump backtraces - Count number of files which contain the correct section + ansible.builtin.set_fact: + count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'') + | list | map(''int'') | sum}}' when: - DISA_STIG_RHEL_09_213085 | bool - coredump_disable_backtraces | bool @@ -23516,15 +21116,30 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"systemd" in ansible_facts.packages' + tags: + - CCE-83984-5 + - DISA-STIG-RHEL-09-213085 + - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3 + - PCI-DSSv4-3.3.1 + - PCI-DSSv4-3.3.1.1 + - coredump_disable_backtraces + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy -- name: Set 'ProcessSizeMax' to '0' in the [Coredump] section of '/etc/systemd/coredump.conf' - ini_file: - path: /etc/systemd/coredump.conf +- name: Disable core dump backtraces - Add missing configuration to correct section + community.general.ini_file: + path: '{{item}}' section: Coredump option: ProcessSizeMax value: '0' - create: true - mode: 420 + state: present + no_extra_spaces: true when: - DISA_STIG_RHEL_09_213085 | bool - coredump_disable_backtraces | bool @@ -23534,6 +21149,9 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"systemd" in ansible_facts.packages' + - count_of_systemd_dropin_files_with_section | int > 0 + loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list + }}' tags: - CCE-83984-5 - DISA-STIG-RHEL-09-213085 @@ -23549,40 +21167,53 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83979-5 - - DISA-STIG-RHEL-09-213090 - - NIST-800-53-CM-6 - - PCI-DSS-Req-3.2 - - PCI-DSSv4-3.3 - - PCI-DSSv4-3.3.1 - - PCI-DSSv4-3.3.1.1 - - coredump_disable_storage - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +- name: Disable core dump backtraces - Add configuration to new remediation file + community.general.ini_file: + path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf + section: Coredump + option: ProcessSizeMax + value: '0' + state: present + no_extra_spaces: true + create: true when: - - DISA_STIG_RHEL_09_213090 | bool - - coredump_disable_storage | bool + - DISA_STIG_RHEL_09_213085 | bool + - coredump_disable_backtraces | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"systemd" in ansible_facts.packages' + - count_of_systemd_dropin_files_with_section | int == 0 + tags: + - CCE-83984-5 + - DISA-STIG-RHEL-09-213085 + - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3 + - PCI-DSSv4-3.3.1 + - PCI-DSSv4-3.3.1.1 + - coredump_disable_backtraces + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy -- name: Set 'Storage' to 'none' in the [Coredump] section of '/etc/systemd/coredump.conf' - ini_file: - path: /etc/systemd/coredump.conf - section: Coredump - option: Storage - value: none - create: true - mode: 420 +- name: Disable storing core dump - Search for a section in files + ansible.builtin.find: + paths: '{{item.path}}' + patterns: '{{item.pattern}}' + contains: ^\s*\[Coredump\] + read_whole_file: true + use_regex: true + register: systemd_dropin_files_with_section + loop: + - path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}' + pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}' + - path: /etc/systemd/coredump.conf.d + pattern: .*\.conf when: - DISA_STIG_RHEL_09_213090 | bool - coredump_disable_storage | bool @@ -23607,37 +21238,105 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: Disable storing core dump - Count number of files which contain the correct section + ansible.builtin.set_fact: + count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'') + | list | map(''int'') | sum}}' + when: + - DISA_STIG_RHEL_09_213090 | bool + - coredump_disable_storage | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"systemd" in ansible_facts.packages' tags: - - CCE-83971-2 - - DISA-STIG-RHEL-09-213070 - - NIST-800-171-3.1.7 - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-30 - - NIST-800-53-SC-30(2) - - PCI-DSS-Req-2.2.1 + - CCE-83979-5 + - DISA-STIG-RHEL-09-213090 + - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - - disable_strategy + - coredump_disable_storage - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - - sysctl_kernel_randomize_va_space + - no_reboot_needed + - restrict_strategy + +- name: Disable storing core dump - Add missing configuration to correct section + community.general.ini_file: + path: '{{item}}' + section: Coredump + option: Storage + value: none + state: present + no_extra_spaces: true when: - - DISA_STIG_RHEL_09_213070 | bool - - disable_strategy | bool + - DISA_STIG_RHEL_09_213090 | bool + - coredump_disable_storage | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_kernel_randomize_va_space | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"systemd" in ansible_facts.packages' + - count_of_systemd_dropin_files_with_section | int > 0 + loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list + }}' + tags: + - CCE-83979-5 + - DISA-STIG-RHEL-09-213090 + - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3 + - PCI-DSSv4-3.3.1 + - PCI-DSSv4-3.3.1.1 + - coredump_disable_storage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Disable storing core dump - Add configuration to new remediation file + community.general.ini_file: + path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf + section: Coredump + option: Storage + value: none + state: present + no_extra_spaces: true + create: true + when: + - DISA_STIG_RHEL_09_213090 | bool + - coredump_disable_storage | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"systemd" in ansible_facts.packages' + - count_of_systemd_dropin_files_with_section | int == 0 + tags: + - CCE-83979-5 + - DISA-STIG-RHEL-09-213090 + - NIST-800-53-CM-6 + - PCI-DSS-Req-3.2 + - PCI-DSSv4-3.3 + - PCI-DSSv4-3.3.1 + - PCI-DSSv4-3.3.1.1 + - coredump_disable_storage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ @@ -23674,7 +21373,7 @@ - sysctl_kernel_randomize_va_space - name: Comment out any occurrences of kernel.randomize_va_space from config files - replace: + ansible.builtin.replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.randomize_va_space replace: '#kernel.randomize_va_space' @@ -23707,7 +21406,7 @@ - sysctl_kernel_randomize_va_space - name: Ensure sysctl kernel.randomize_va_space is set to 2 - sysctl: + ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' sysctl_file: /etc/sysctl.conf @@ -23740,155 +21439,6 @@ - reboot_required - sysctl_kernel_randomize_va_space -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84069-4 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.6 - - enable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_libselinux_installed - when: - - enable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_libselinux_installed | bool - -- name: Ensure libselinux is installed - package: - name: libselinux - state: present - when: - - enable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_libselinux_installed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84069-4 - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.6 - - enable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_libselinux_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84072-8 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_mcstrans_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_mcstrans_removed | bool - -- name: 'Uninstall mcstrans Package: Ensure mcstrans is removed' - ansible.builtin.package: - name: mcstrans - state: absent - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_mcstrans_removed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84072-8 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_mcstrans_removed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84073-6 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_setroubleshoot_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_setroubleshoot_removed | bool - -- name: 'Uninstall setroubleshoot Package: Ensure setroubleshoot is removed' - ansible.builtin.package: - name: setroubleshoot - state: absent - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_setroubleshoot_removed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84073-6 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_setroubleshoot_removed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84078-5 - - NIST-800-171-3.1.2 - - NIST-800-171-3.7.2 - - NIST-800-53-AC-3 - - NIST-800-53-AC-3(3)(a) - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.6 - - grub2_enable_selinux - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - grub2_enable_selinux | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure SELinux Not Disabled in /etc/default/grub - Find /etc/grub.d/ files ansible.builtin.find: paths: @@ -24063,29 +21613,10 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86152-6 - - high_severity - - low_complexity - - low_disruption - - reboot_required - - restrict_strategy - - selinux_not_disabled - when: - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - reboot_required | bool - - restrict_strategy | bool - - selinux_not_disabled | bool - - name: Ensure SELinux is Not Disabled block: - name: Check for duplicate values - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= @@ -24094,14 +21625,14 @@ changed_when: false register: dupes - name: Deduplicate values from /etc/selinux/config - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= @@ -24124,39 +21655,31 @@ - restrict_strategy - selinux_not_disabled -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84074-4 - - DISA-STIG-RHEL-09-431015 - - NIST-800-171-3.1.2 - - NIST-800-171-3.7.2 - - NIST-800-53-AC-3 - - NIST-800-53-AC-3(3)(a) - - NIST-800-53-AU-9 - - NIST-800-53-SC-7(21) - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.6 - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - selinux_policytype +- name: ' - Mark system to relabel SELinux on next boot' + ansible.builtin.file: + path: /.autorelabel + state: touch when: - - DISA_STIG_RHEL_09_431015 | bool - - configure_strategy | bool + - high_severity | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - selinux_policytype | bool + - reboot_required | bool + - restrict_strategy | bool + - selinux_not_disabled | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86152-6 + - high_severity + - low_complexity + - low_disruption + - reboot_required + - restrict_strategy + - selinux_not_disabled - name: Configure SELinux Policy block: - name: Check for duplicate values - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUXTYPE= @@ -24165,14 +21688,14 @@ changed_when: false register: dupes - name: Deduplicate values from /etc/selinux/config - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUXTYPE= state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUXTYPE= @@ -24205,39 +21728,10 @@ - no_reboot_needed - selinux_policytype -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84079-3 - - DISA-STIG-RHEL-09-431010 - - NIST-800-171-3.1.2 - - NIST-800-171-3.7.2 - - NIST-800-53-AC-3 - - NIST-800-53-AC-3(3)(a) - - NIST-800-53-AU-9 - - NIST-800-53-SC-7(21) - - PCI-DSSv4-1.2 - - PCI-DSSv4-1.2.6 - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - restrict_strategy - - selinux_state - when: - - DISA_STIG_RHEL_09_431010 | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - selinux_state | bool - - name: Ensure SELinux State is Enforcing block: - name: Check for duplicate values - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= @@ -24246,14 +21740,14 @@ changed_when: false register: dupes - name: Deduplicate values from /etc/selinux/config - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config - lineinfile: + ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= @@ -24286,272 +21780,39 @@ - restrict_strategy - selinux_state -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90824-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_avahi-daemon_disabled +- name: ' - Mark system to relabel SELinux on next boot' + ansible.builtin.file: + path: /.autorelabel + state: touch when: - - disable_strategy | bool + - DISA_STIG_RHEL_09_431010 | bool + - high_severity | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_avahi_daemon_disabled | bool - -- name: Disable Avahi Server Software - Collect systemd Services Present in the System - ansible.builtin.command: systemctl -q list-unit-files --type service - register: service_exists - changed_when: false - failed_when: service_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_avahi_daemon_disabled | bool - - ( "avahi" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - tags: - - CCE-90824-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_avahi-daemon_disabled - -- name: Disable Avahi Server Software - Ensure avahi-daemon.service is Masked - ansible.builtin.systemd: - name: avahi-daemon.service - state: stopped - enabled: false - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_avahi_daemon_disabled | bool - - ( "avahi" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - service_exists.stdout_lines is search("avahi-daemon.service", multiline=True) - tags: - - CCE-90824-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_avahi-daemon_disabled - -- name: Unit Socket Exists - avahi-daemon.socket - ansible.builtin.command: systemctl -q list-unit-files avahi-daemon.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_avahi_daemon_disabled | bool - - ( "avahi" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - tags: - - CCE-90824-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_avahi-daemon_disabled - -- name: Disable Avahi Server Software - Disable Socket avahi-daemon - ansible.builtin.systemd: - name: avahi-daemon.socket - enabled: false - state: stopped - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_avahi_daemon_disabled | bool - - ( "avahi" in ansible_facts.packages and "kernel" in ansible_facts.packages ) - - socket_file_exists.stdout_lines is search("avahi-daemon.socket", multiline=True) - tags: - - CCE-90824-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_avahi-daemon_disabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86170-8 - - DISA-STIG-RHEL-09-232040 - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_cron_installed - when: - - DISA_STIG_RHEL_09_232040 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_cron_installed | bool - -- name: Ensure cronie is installed - package: - name: cronie - state: present - when: - - DISA_STIG_RHEL_09_232040 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_cron_installed | bool + - restrict_strategy | bool + - selinux_state | bool - '"kernel" in ansible_facts.packages' tags: - - CCE-86170-8 - - DISA-STIG-RHEL-09-232040 - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - enable_strategy + - CCE-84079-3 + - DISA-STIG-RHEL-09-431010 + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - NIST-800-53-AU-9 + - NIST-800-53-SC-7(21) + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.6 + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - package_cron_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84163-5 - - NIST-800-53-CM-6(a) - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_crond_enabled - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_crond_enabled | bool - -- name: Enable cron Service - Enable service crond - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable cron Service - Enable Service crond - ansible.builtin.systemd: - name: crond - enabled: true - state: started - masked: false - when: - - '"cronie" in ansible_facts.packages' - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_crond_enabled | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84163-5 - - NIST-800-53-CM-6(a) - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_crond_enabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84177-5 - - DISA-STIG-RHEL-09-232235 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_cron_d - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232235 | bool - - configure_strategy | bool - - file_groupowner_cron_d | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - restrict_strategy + - selinux_state - name: Set the file_groupowner_cron_d_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_cron_d_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool @@ -24577,8 +21838,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/cron.d/ - file: + ansible.builtin.file: path: /etc/cron.d/ + follow: false state: directory group: '{{ file_groupowner_cron_d_newgroup }}' when: @@ -24604,33 +21866,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84170-0 - - DISA-STIG-RHEL-09-232235 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_cron_daily - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232235 | bool - - configure_strategy | bool - - file_groupowner_cron_daily | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_cron_daily_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_cron_daily_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool @@ -24656,8 +21893,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/cron.daily/ - file: + ansible.builtin.file: path: /etc/cron.daily/ + follow: false state: directory group: '{{ file_groupowner_cron_daily_newgroup }}' when: @@ -24683,33 +21921,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84186-6 - - DISA-STIG-RHEL-09-232235 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_cron_hourly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232235 | bool - - configure_strategy | bool - - file_groupowner_cron_hourly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_cron_hourly_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_cron_hourly_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool @@ -24735,8 +21948,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/cron.hourly/ - file: + ansible.builtin.file: path: /etc/cron.hourly/ + follow: false state: directory group: '{{ file_groupowner_cron_hourly_newgroup }}' when: @@ -24762,33 +21976,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84189-0 - - DISA-STIG-RHEL-09-232235 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_cron_monthly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232235 | bool - - configure_strategy | bool - - file_groupowner_cron_monthly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_cron_monthly_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_cron_monthly_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool @@ -24814,8 +22003,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/cron.monthly/ - file: + ansible.builtin.file: path: /etc/cron.monthly/ + follow: false state: directory group: '{{ file_groupowner_cron_monthly_newgroup }}' when: @@ -24841,33 +22031,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84174-2 - - DISA-STIG-RHEL-09-232235 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_cron_weekly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232235 | bool - - configure_strategy | bool - - file_groupowner_cron_weekly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_cron_weekly_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_cron_weekly_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool @@ -24893,8 +22058,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/cron.weekly/ - file: + ansible.builtin.file: path: /etc/cron.weekly/ + follow: false state: directory group: '{{ file_groupowner_cron_weekly_newgroup }}' when: @@ -24920,33 +22086,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84171-8 - - DISA-STIG-RHEL-09-232235 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_crontab - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232235 | bool - - configure_strategy | bool - - file_groupowner_crontab | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_crontab_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_crontab_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool @@ -24972,7 +22113,7 @@ - no_reboot_needed - name: Test for existence /etc/crontab - stat: + ansible.builtin.stat: path: /etc/crontab register: file_exists when: @@ -24999,8 +22140,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/crontab - file: + ansible.builtin.file: path: /etc/crontab + follow: false group: '{{ file_groupowner_crontab_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool @@ -25026,33 +22168,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84169-2 - - DISA-STIG-RHEL-09-232230 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_cron_d - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232230 | bool - - configure_strategy | bool - - file_owner_cron_d | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_cron_d_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_cron_d_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool @@ -25078,8 +22195,9 @@ - no_reboot_needed - name: Ensure owner on directory /etc/cron.d/ - file: + ansible.builtin.file: path: /etc/cron.d/ + follow: false state: directory owner: '{{ file_owner_cron_d_newown }}' when: @@ -25105,33 +22223,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84188-2 - - DISA-STIG-RHEL-09-232230 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_cron_daily - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232230 | bool - - configure_strategy | bool - - file_owner_cron_daily | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_cron_daily_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_cron_daily_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool @@ -25157,8 +22250,9 @@ - no_reboot_needed - name: Ensure owner on directory /etc/cron.daily/ - file: + ansible.builtin.file: path: /etc/cron.daily/ + follow: false state: directory owner: '{{ file_owner_cron_daily_newown }}' when: @@ -25184,33 +22278,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84168-4 - - DISA-STIG-RHEL-09-232230 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_cron_hourly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232230 | bool - - configure_strategy | bool - - file_owner_cron_hourly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_cron_hourly_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_cron_hourly_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool @@ -25236,8 +22305,9 @@ - no_reboot_needed - name: Ensure owner on directory /etc/cron.hourly/ - file: + ansible.builtin.file: path: /etc/cron.hourly/ + follow: false state: directory owner: '{{ file_owner_cron_hourly_newown }}' when: @@ -25263,33 +22333,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84179-1 - - DISA-STIG-RHEL-09-232230 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_cron_monthly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232230 | bool - - configure_strategy | bool - - file_owner_cron_monthly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_cron_monthly_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_cron_monthly_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool @@ -25315,8 +22360,9 @@ - no_reboot_needed - name: Ensure owner on directory /etc/cron.monthly/ - file: + ansible.builtin.file: path: /etc/cron.monthly/ + follow: false state: directory owner: '{{ file_owner_cron_monthly_newown }}' when: @@ -25342,33 +22388,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84190-8 - - DISA-STIG-RHEL-09-232230 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_cron_weekly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232230 | bool - - configure_strategy | bool - - file_owner_cron_weekly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_cron_weekly_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_cron_weekly_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool @@ -25394,8 +22415,9 @@ - no_reboot_needed - name: Ensure owner on directory /etc/cron.weekly/ - file: + ansible.builtin.file: path: /etc/cron.weekly/ + follow: false state: directory owner: '{{ file_owner_cron_weekly_newown }}' when: @@ -25421,33 +22443,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84167-6 - - DISA-STIG-RHEL-09-232230 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_crontab - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232230 | bool - - configure_strategy | bool - - file_owner_crontab | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_crontab_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_crontab_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool @@ -25473,7 +22470,7 @@ - no_reboot_needed - name: Test for existence /etc/crontab - stat: + ansible.builtin.stat: path: /etc/crontab register: file_exists when: @@ -25500,8 +22497,9 @@ - no_reboot_needed - name: Ensure owner on /etc/crontab - file: + ansible.builtin.file: path: /etc/crontab + follow: false owner: '{{ file_owner_crontab_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool @@ -25527,33 +22525,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84183-3 - - DISA-STIG-RHEL-09-232040 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_d - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232040 | bool - - configure_strategy | bool - - file_permissions_cron_d | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find /etc/cron.d/ file(s) - command: 'find -L /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + ansible.builtin.command: 'find -P /etc/cron.d/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -25582,7 +22555,7 @@ - no_reboot_needed - name: Set permissions for /etc/cron.d/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory @@ -25611,33 +22584,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84175-9 - - DISA-STIG-RHEL-09-232040 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_daily - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232040 | bool - - configure_strategy | bool - - file_permissions_cron_daily | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find /etc/cron.daily/ file(s) - command: 'find -L /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + ansible.builtin.command: 'find -P /etc/cron.daily/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -25666,7 +22614,7 @@ - no_reboot_needed - name: Set permissions for /etc/cron.daily/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory @@ -25695,33 +22643,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84173-4 - - DISA-STIG-RHEL-09-232040 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_hourly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232040 | bool - - configure_strategy | bool - - file_permissions_cron_hourly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find /etc/cron.hourly/ file(s) - command: 'find -L /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + ansible.builtin.command: 'find -P /etc/cron.hourly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -25750,7 +22673,7 @@ - no_reboot_needed - name: Set permissions for /etc/cron.hourly/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory @@ -25779,33 +22702,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84181-7 - - DISA-STIG-RHEL-09-232040 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_monthly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232040 | bool - - configure_strategy | bool - - file_permissions_cron_monthly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find /etc/cron.monthly/ file(s) - command: 'find -L /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + ansible.builtin.command: 'find -P /etc/cron.monthly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -25834,7 +22732,7 @@ - no_reboot_needed - name: Set permissions for /etc/cron.monthly/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory @@ -25863,33 +22761,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84187-4 - - DISA-STIG-RHEL-09-232040 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_weekly - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232040 | bool - - configure_strategy | bool - - file_permissions_cron_weekly | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find /etc/cron.weekly/ file(s) - command: 'find -L /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + ansible.builtin.command: 'find -P /etc/cron.weekly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -25918,7 +22791,7 @@ - no_reboot_needed - name: Set permissions for /etc/cron.weekly/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory @@ -25947,31 +22820,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84176-7 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_crontab - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_crontab | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Test for existence /etc/crontab - stat: + ansible.builtin.stat: path: /etc/crontab register: file_exists when: @@ -25996,7 +22846,7 @@ - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/crontab - file: + ansible.builtin.file: path: /etc/crontab mode: u-xs,g-xwrs,o-xwrt when: @@ -26021,29 +22871,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86946-1 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - disable_strategy - - file_at_deny_not_exist - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - disable_strategy | bool - - file_at_deny_not_exist | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Remove /etc/at.deny - file: + ansible.builtin.file: path: /etc/at.deny state: absent when: @@ -26065,27 +22894,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86185-6 - - disable_strategy - - file_cron_allow_exists - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - disable_strategy | bool - - file_cron_allow_exists | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Add empty /etc/cron.allow - file: + ansible.builtin.file: path: /etc/cron.allow state: touch owner: '0' @@ -26107,29 +22917,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86850-5 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - disable_strategy - - file_cron_deny_not_exist - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - disable_strategy | bool - - file_cron_deny_not_exist | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Remove /etc/cron.deny - file: + ansible.builtin.file: path: /etc/cron.deny state: absent when: @@ -26151,29 +22940,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87103-8 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_at_allow - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_groupowner_at_allow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_at_allow_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_at_allow_newgroup: '0' when: - configure_strategy | bool @@ -26195,7 +22963,7 @@ - no_reboot_needed - name: Test for existence /etc/at.allow - stat: + ansible.builtin.stat: path: /etc/at.allow register: file_exists when: @@ -26218,8 +22986,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/at.allow - file: + ansible.builtin.file: path: /etc/at.allow + follow: false group: '{{ file_groupowner_at_allow_newgroup }}' when: - configure_strategy | bool @@ -26241,31 +23010,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86830-7 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_groupowner_cron_allow - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_groupowner_cron_allow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_cron_allow_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_cron_allow_newgroup: '0' when: - configure_strategy | bool @@ -26289,7 +23035,7 @@ - no_reboot_needed - name: Test for existence /etc/cron.allow - stat: + ansible.builtin.stat: path: /etc/cron.allow register: file_exists when: @@ -26314,8 +23060,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/cron.allow - file: + ansible.builtin.file: path: /etc/cron.allow + follow: false group: '{{ file_groupowner_cron_allow_newgroup }}' when: - configure_strategy | bool @@ -26339,31 +23086,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86844-8 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_owner_cron_allow - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_owner_cron_allow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_cron_allow_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_cron_allow_newown: '0' when: - configure_strategy | bool @@ -26387,7 +23111,7 @@ - no_reboot_needed - name: Test for existence /etc/cron.allow - stat: + ansible.builtin.stat: path: /etc/cron.allow register: file_exists when: @@ -26412,8 +23136,9 @@ - no_reboot_needed - name: Ensure owner on /etc/cron.allow - file: + ansible.builtin.file: path: /etc/cron.allow + follow: false owner: '{{ file_owner_cron_allow_newown }}' when: - configure_strategy | bool @@ -26437,29 +23162,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86904-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_at_allow - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_at_allow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Test for existence /etc/at.allow - stat: + ansible.builtin.stat: path: /etc/at.allow register: file_exists when: @@ -26482,7 +23186,7 @@ - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/at.allow - file: + ansible.builtin.file: path: /etc/at.allow mode: u-xs,g-xwrs,o-xwrt when: @@ -26505,29 +23209,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86877-8 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_cron_allow - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_cron_allow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Test for existence /etc/cron.allow - stat: + ansible.builtin.stat: path: /etc/cron.allow register: file_exists when: @@ -26550,7 +23233,7 @@ - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/cron.allow - file: + ansible.builtin.file: path: /etc/cron.allow mode: u-xs,g-xwrs,o-xwrt when: @@ -26573,280 +23256,8 @@ - medium_severity - no_reboot_needed -- name: 'Uninstall DHCP Server Package: Ensure dhcp-server is removed' - ansible.builtin.package: - name: dhcp-server - state: absent - tags: - - CCE-84240-1 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_dhcp_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_dhcp_removed | bool - -- name: 'Uninstall dnsmasq Package: Ensure dnsmasq is removed' - ansible.builtin.package: - name: dnsmasq - state: absent - tags: - - CCE-86063-5 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_dnsmasq_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_dnsmasq_removed | bool - -- name: 'Uninstall bind Package: Ensure bind is removed' - ansible.builtin.package: - name: bind - state: absent - tags: - - CCE-86505-5 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_bind_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_bind_removed | bool - -- name: 'Uninstall bind Package: Ensure bind9.18 is removed' - ansible.builtin.package: - name: bind9.18 - state: absent - tags: - - CCE-86505-5 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_bind_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_bind_removed | bool - -- name: 'Remove ftp Package: Ensure ftp is removed' - ansible.builtin.package: - name: ftp - state: absent - tags: - - CCE-86075-9 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_ftp_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_ftp_removed | bool - -- name: 'Uninstall vsftpd Package: Ensure vsftpd is removed' - ansible.builtin.package: - name: vsftpd - state: absent - tags: - - CCE-84159-3 - - DISA-STIG-RHEL-09-215015 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-CM-7.1(ii) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(1).1(v) - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_vsftpd_removed - when: - - DISA_STIG_RHEL_09_215015 | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_vsftpd_removed | bool - -- name: 'Uninstall httpd Package: Ensure httpd is removed' - ansible.builtin.package: - name: httpd - state: absent - tags: - - CCE-85974-4 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_httpd_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_httpd_removed | bool - - unknown_severity | bool - -- name: 'Uninstall nginx Package: Ensure nginx is removed' - ansible.builtin.package: - name: nginx - state: absent - tags: - - CCE-88035-1 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_nginx_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_nginx_removed | bool - - unknown_severity | bool - -- name: 'Uninstall cyrus-imapd Package: Ensure cyrus-imapd is removed' - ansible.builtin.package: - name: cyrus-imapd - state: absent - tags: - - CCE-88120-1 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_cyrus-imapd_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_cyrus_imapd_removed | bool - - unknown_severity | bool - -- name: 'Uninstall dovecot Package: Ensure dovecot is removed' - ansible.builtin.package: - name: dovecot - state: absent - tags: - - CCE-85977-7 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_dovecot_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_dovecot_removed | bool - - unknown_severity | bool - -- name: 'Ensure LDAP client is not installed: Ensure openldap-clients is removed' - ansible.builtin.package: - name: openldap-clients - state: absent - tags: - - CCE-90831-9 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_openldap-clients_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_openldap_clients_removed | bool - -- name: Gather list of packages - package_facts: - manager: auto - tags: - - CCE-90825-1 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-1.4 - - PCI-DSSv4-1.4.2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - postfix_network_listening_disabled - - restrict_strategy - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - postfix_network_listening_disabled | bool - - restrict_strategy | bool - - name: Make changes to Postfix configuration file - lineinfile: + ansible.builtin.lineinfile: path: /etc/postfix/main.cf create: false regexp: (?i)^inet_interfaces\s*=\s.* @@ -26877,335 +23288,8 @@ - postfix_network_listening_disabled - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84245-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rpcbind_disabled - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - service_rpcbind_disabled | bool - -- name: Disable rpcbind Service - Collect systemd Services Present in the System - ansible.builtin.command: systemctl -q list-unit-files --type service - register: service_exists - changed_when: false - failed_when: service_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - service_rpcbind_disabled | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84245-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rpcbind_disabled - -- name: Disable rpcbind Service - Ensure rpcbind.service is Masked - ansible.builtin.systemd: - name: rpcbind.service - state: stopped - enabled: false - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - service_rpcbind_disabled | bool - - '"kernel" in ansible_facts.packages' - - service_exists.stdout_lines is search("rpcbind.service", multiline=True) - tags: - - CCE-84245-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rpcbind_disabled - -- name: Unit Socket Exists - rpcbind.socket - ansible.builtin.command: systemctl -q list-unit-files rpcbind.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - service_rpcbind_disabled | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84245-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rpcbind_disabled - -- name: Disable rpcbind Service - Disable Socket rpcbind - ansible.builtin.systemd: - name: rpcbind.socket - enabled: false - state: stopped - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - service_rpcbind_disabled | bool - - '"kernel" in ansible_facts.packages' - - socket_file_exists.stdout_lines is search("rpcbind.socket", multiline=True) - tags: - - CCE-84245-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - service_rpcbind_disabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90850-9 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_nfs_disabled - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_nfs_disabled | bool - - unknown_severity | bool - -- name: Disable Network File System (nfs) - Collect systemd Services Present in the System - ansible.builtin.command: systemctl -q list-unit-files --type service - register: service_exists - changed_when: false - failed_when: service_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_nfs_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-90850-9 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_nfs_disabled - - unknown_severity - -- name: Disable Network File System (nfs) - Ensure nfs-server.service is Masked - ansible.builtin.systemd: - name: nfs-server.service - state: stopped - enabled: false - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_nfs_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - - service_exists.stdout_lines is search("nfs-server.service", multiline=True) - tags: - - CCE-90850-9 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_nfs_disabled - - unknown_severity - -- name: Unit Socket Exists - nfs-server.socket - ansible.builtin.command: systemctl -q list-unit-files nfs-server.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_nfs_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-90850-9 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_nfs_disabled - - unknown_severity - -- name: Disable Network File System (nfs) - Disable Socket nfs-server - ansible.builtin.systemd: - name: nfs-server.socket - enabled: false - state: stopped - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_nfs_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - - socket_file_exists.stdout_lines is search("nfs-server.socket", multiline=True) - tags: - - CCE-90850-9 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_nfs_disabled - - unknown_severity - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84215-3 - - DISA-STIG-RHEL-09-252010 - - PCI-DSS-Req-10.4 - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_chrony_installed - when: - - DISA_STIG_RHEL_09_252010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_chrony_installed | bool - -- name: Ensure chrony is installed - package: - name: chrony - state: present - when: - - DISA_STIG_RHEL_09_252010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_chrony_installed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84215-3 - - DISA-STIG-RHEL-09-252010 - - PCI-DSS-Req-10.4 - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_chrony_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84218-7 - - DISA-STIG-RHEL-09-252020 - - NIST-800-53-AU-8(1)(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.3 - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.2 - - chronyd_specify_remote_server - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_252020 | bool - - chronyd_specify_remote_server | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Detect if chrony is already configured with pools or servers - find: + ansible.builtin.find: path: /etc patterns: chrony.conf contains: ^[\s]*(?:server|pool)[\s]+[\w]+ @@ -27236,7 +23320,7 @@ - no_reboot_needed - name: Configure remote time servers - lineinfile: + ansible.builtin.lineinfile: path: /etc/chrony.conf line: server {{ item }} state: present @@ -27268,29 +23352,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84108-0 - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.3 - - chronyd_run_as_chrony_user - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - chronyd_run_as_chrony_user | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Detect if file /etc/sysconfig/chronyd is not empty or missing - find: + ansible.builtin.find: path: /etc/sysconfig/ patterns: chronyd contains: ^([\s]*OPTIONS=["]?[^"]*)("?) @@ -27316,7 +23379,7 @@ - no_reboot_needed - name: Remove any previous configuration of user used to run chronyd process - replace: + ansible.builtin.replace: path: /etc/sysconfig/chronyd regexp: \s*-u\s*\w+\s* replace: ' ' @@ -27341,50 +23404,8 @@ - medium_severity - no_reboot_needed -- name: 'Uninstall rsync Package: Ensure rsync-daemon is removed' - ansible.builtin.package: - name: rsync-daemon - state: absent - tags: - - CCE-86336-5 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_rsync_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_rsync_removed | bool - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84145-2 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - no_rsh_trust_files - - restrict_strategy - when: - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - no_rsh_trust_files | bool - - restrict_strategy | bool - - name: Detect .rhosts files in users home directories - find: + ansible.builtin.find: paths: - /root - /home @@ -27415,7 +23436,7 @@ - restrict_strategy - name: Remove .rhosts files - file: + ansible.builtin.file: path: '{{ item }}' state: absent with_items: '{{ rhosts_locations.files | map(attribute=''path'') | list }}' @@ -27441,7 +23462,7 @@ - restrict_strategy - name: Remove /etc/hosts.equiv file - file: + ansible.builtin.file: path: /etc/hosts.equiv state: absent when: @@ -27464,322 +23485,8 @@ - no_rsh_trust_files - restrict_strategy -- name: 'Uninstall telnet-server Package: Ensure telnet-server is removed' - ansible.builtin.package: - name: telnet-server - state: absent - tags: - - CCE-84149-4 - - DISA-STIG-RHEL-09-215040 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-2.2.2 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_telnet-server_removed - when: - - DISA_STIG_RHEL_09_215040 | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_telnet_server_removed | bool - -- name: 'Remove telnet Clients: Ensure telnet is removed' - ansible.builtin.package: - name: telnet - state: absent - tags: - - CCE-84146-0 - - NIST-800-171-3.1.13 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_telnet_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_telnet_removed | bool - -- name: 'Uninstall tftp-server Package: Ensure tftp-server is removed' - ansible.builtin.package: - name: tftp-server - state: absent - tags: - - CCE-84154-4 - - DISA-STIG-RHEL-09-215060 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_tftp-server_removed - when: - - DISA_STIG_RHEL_09_215060 | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_tftp_server_removed | bool - -- name: 'Remove tftp Daemon: Ensure tftp is removed' - ansible.builtin.package: - name: tftp - state: absent - tags: - - CCE-84153-6 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_tftp_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_tftp_removed | bool - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90795-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_cups_disabled - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_cups_disabled | bool - - unknown_severity | bool - -- name: Disable the CUPS Service - Collect systemd Services Present in the System - ansible.builtin.command: systemctl -q list-unit-files --type service - register: service_exists - changed_when: false - failed_when: service_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_cups_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-90795-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_cups_disabled - - unknown_severity - -- name: Disable the CUPS Service - Ensure cups.service is Masked - ansible.builtin.systemd: - name: cups.service - state: stopped - enabled: false - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_cups_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - - service_exists.stdout_lines is search("cups.service", multiline=True) - tags: - - CCE-90795-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_cups_disabled - - unknown_severity - -- name: Unit Socket Exists - cups.socket - ansible.builtin.command: systemctl -q list-unit-files cups.socket - register: socket_file_exists - changed_when: false - failed_when: socket_file_exists.rc not in [0, 1] - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_cups_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-90795-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_cups_disabled - - unknown_severity - -- name: Disable the CUPS Service - Disable Socket cups - ansible.builtin.systemd: - name: cups.socket - enabled: false - state: stopped - masked: true - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - service_cups_disabled | bool - - unknown_severity | bool - - '"kernel" in ansible_facts.packages' - - socket_file_exists.stdout_lines is search("cups.socket", multiline=True) - tags: - - CCE-90795-6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - service_cups_disabled - - unknown_severity - -- name: 'Uninstall squid Package: Ensure squid is removed' - ansible.builtin.package: - name: squid - state: absent - tags: - - CCE-84238-5 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_squid_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_squid_removed | bool - - unknown_severity | bool - -- name: 'Uninstall Samba Package: Ensure samba is removed' - ansible.builtin.package: - name: samba - state: absent - tags: - - CCE-85979-3 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_samba_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_samba_removed | bool - - unknown_severity | bool - -- name: 'Uninstall net-snmp Package: Ensure net-snmp is removed' - ansible.builtin.package: - name: net-snmp - state: absent - tags: - - CCE-85981-9 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_net-snmp_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_net_snmp_removed | bool - - unknown_severity | bool - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90817-8 - - DISA-STIG-RHEL-09-255105 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_groupowner_sshd_config - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_255105 | bool - - configure_strategy | bool - - file_groupowner_sshd_config | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupowner_sshd_config_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupowner_sshd_config_newgroup: '0' when: - DISA_STIG_RHEL_09_255105 | bool @@ -27804,7 +23511,7 @@ - no_reboot_needed - name: Test for existence /etc/ssh/sshd_config - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config register: file_exists when: @@ -27830,8 +23537,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/ssh/sshd_config - file: + ansible.builtin.file: path: /etc/ssh/sshd_config + follow: false group: '{{ file_groupowner_sshd_config_newgroup }}' when: - DISA_STIG_RHEL_09_255105 | bool @@ -27856,27 +23564,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86127-8 - - configure_strategy - - file_groupownership_sshd_private_key - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_groupownership_sshd_private_key | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Check that the ssh_keys group is defined - getent: + ansible.builtin.getent: database: group key: ssh_keys ignore_errors: true @@ -27899,7 +23588,7 @@ - no_reboot_needed - name: Set the file_groupownership_sshd_private_key_newgroup variable if ssh_keys found - set_fact: + ansible.builtin.set_fact: file_groupownership_sshd_private_key_newgroup: ssh_keys when: - configure_strategy | bool @@ -27920,7 +23609,7 @@ - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*_key$ - command: find -L /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended -regex "^.*_key$" + ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended -regex "^.*_key$" register: files_found changed_when: false failed_when: false @@ -27943,8 +23632,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/ssh/ file(s) matching ^.*_key$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false group: '{{ file_groupownership_sshd_private_key_newgroup }}' state: file with_items: @@ -27966,27 +23656,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86136-9 - - configure_strategy - - file_groupownership_sshd_pub_key - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_groupownership_sshd_pub_key | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupownership_sshd_pub_key_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupownership_sshd_pub_key_newgroup: '0' when: - configure_strategy | bool @@ -28006,7 +23677,7 @@ - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ - command: find -L /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.pub$" + ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false @@ -28029,8 +23700,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/ssh/ file(s) matching ^.*\.pub$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false group: '{{ file_groupownership_sshd_pub_key_newgroup }}' state: file with_items: @@ -28052,32 +23724,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90821-0 - - DISA-STIG-RHEL-09-255110 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_owner_sshd_config - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_255110 | bool - - configure_strategy | bool - - file_owner_sshd_config | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_owner_sshd_config_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_owner_sshd_config_newown: '0' when: - DISA_STIG_RHEL_09_255110 | bool @@ -28102,7 +23750,7 @@ - no_reboot_needed - name: Test for existence /etc/ssh/sshd_config - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config register: file_exists when: @@ -28128,8 +23776,9 @@ - no_reboot_needed - name: Ensure owner on /etc/ssh/sshd_config - file: + ansible.builtin.file: path: /etc/ssh/sshd_config + follow: false owner: '{{ file_owner_sshd_config_newown }}' when: - DISA_STIG_RHEL_09_255110 | bool @@ -28154,27 +23803,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86119-5 - - configure_strategy - - file_ownership_sshd_private_key - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_ownership_sshd_private_key | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_ownership_sshd_private_key_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_ownership_sshd_private_key_newown: '0' when: - configure_strategy | bool @@ -28194,7 +23824,7 @@ - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*_key$ - command: find -L /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*_key$" + ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*_key$" register: files_found changed_when: false failed_when: false @@ -28217,8 +23847,9 @@ - no_reboot_needed - name: Ensure owner on /etc/ssh/ file(s) matching ^.*_key$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false owner: '{{ file_ownership_sshd_private_key_newown }}' state: file with_items: @@ -28240,27 +23871,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86130-2 - - configure_strategy - - file_ownership_sshd_pub_key - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_ownership_sshd_pub_key | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_ownership_sshd_pub_key_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_ownership_sshd_pub_key_newown: '0' when: - configure_strategy | bool @@ -28280,7 +23892,7 @@ - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ - command: find -L /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.pub$" + ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false @@ -28303,8 +23915,9 @@ - no_reboot_needed - name: Ensure owner on /etc/ssh/ file(s) matching ^.*\.pub$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false owner: '{{ file_ownership_sshd_pub_key_newown }}' state: file with_items: @@ -28326,34 +23939,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90818-6 - - DISA-STIG-RHEL-09-255115 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_sshd_config - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_255115 | bool - - configure_strategy | bool - - file_permissions_sshd_config | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Test for existence /etc/ssh/sshd_config - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config register: file_exists when: @@ -28381,7 +23968,7 @@ - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/ssh/sshd_config - file: + ansible.builtin.file: path: /etc/ssh/sshd_config mode: u-xs,g-xwrs,o-xwrt when: @@ -28409,35 +23996,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90820-2 - - DISA-STIG-RHEL-09-255120 - - NIST-800-171-3.1.13 - - NIST-800-171-3.13.10 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-2.2.4 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_sshd_private_key - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_255120 | bool - - configure_strategy | bool - - file_permissions_sshd_private_key | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find root:root-owned keys ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group root -perm /u+xs,g+xwrs,o+xwrt register: root_owned_keys @@ -28572,37 +24130,9 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90819-4 - - DISA-STIG-RHEL-09-255125 - - NIST-800-171-3.1.13 - - NIST-800-171-3.13.10 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-2.2.4 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - configure_strategy - - file_permissions_sshd_pub_key - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_255125 | bool - - configure_strategy | bool - - file_permissions_sshd_pub_key | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find /etc/ssh/ file(s) - command: find -L /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex "^.*\.pub$" + ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex + "^.*\.pub$" register: files_found changed_when: false failed_when: false @@ -28635,7 +24165,7 @@ - no_reboot_needed - name: Set permissions for /etc/ssh/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xws,o-xwt state: file @@ -28668,51 +24198,20 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90805-3 - - CJIS-5.5.6 - - DISA-STIG-RHEL-09-255095 - - NIST-800-171-3.1.11 - - NIST-800-53-AC-12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-2(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-10 - - PCI-DSS-Req-8.1.8 - - PCI-DSSv4-8.2 - - PCI-DSSv4-8.2.8 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_keepalive - when: - - DISA_STIG_RHEL_09_255095 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_keepalive | bool - - name: Set SSH Client Alive Count Max block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter ClientAliveCountMax is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -28720,7 +24219,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ @@ -28728,7 +24227,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ @@ -28769,6 +24268,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255095 | bool - low_complexity | bool @@ -28798,53 +24298,20 @@ - restrict_strategy - sshd_set_keepalive -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90811-1 - - CJIS-5.5.6 - - DISA-STIG-RHEL-09-255100 - - NIST-800-171-3.1.11 - - NIST-800-53-AC-12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-2(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-10 - - PCI-DSS-Req-8.1.8 - - PCI-DSSv4-8.2 - - PCI-DSSv4-8.2.8 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_idle_timeout - when: - - DISA_STIG_RHEL_09_255100 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_idle_timeout | bool - - name: Set SSH Client Alive Interval block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter ClientAliveInterval is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -28852,7 +24319,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ @@ -28860,7 +24327,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ @@ -28903,6 +24370,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255100 | bool - low_complexity | bool @@ -28934,50 +24402,20 @@ - restrict_strategy - sshd_set_idle_timeout -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90816-0 - - CJIS-5.5.6 - - DISA-STIG-RHEL-09-255080 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-3 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-8.3 - - PCI-DSSv4-8.3.1 - - disable_host_auth - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_255080 | bool - - disable_host_auth | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Disable Host-Based Authentication block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter HostbasedAuthentication is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -28985,7 +24423,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ @@ -28993,7 +24431,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ @@ -29033,6 +24471,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255080 | bool - disable_host_auth | bool @@ -29061,51 +24500,20 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90799-8 - - CJIS-5.5.6 - - DISA-STIG-RHEL-09-255040 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-2.2.4 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - restrict_strategy - - sshd_disable_empty_passwords - when: - - DISA_STIG_RHEL_09_255040 | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_empty_passwords | bool - - name: Disable SSH Access via Empty Passwords block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter PermitEmptyPasswords is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29113,7 +24521,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ @@ -29121,7 +24529,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ @@ -29162,6 +24570,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255040 | bool - high_severity | bool @@ -29191,46 +24600,20 @@ - restrict_strategy - sshd_disable_empty_passwords -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90808-7 - - DISA-STIG-RHEL-09-255135 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_disable_gssapi_auth - when: - - DISA_STIG_RHEL_09_255135 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_gssapi_auth | bool - - name: Disable GSSAPI Authentication block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter GSSAPIAuthentication is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29238,7 +24621,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ @@ -29246,7 +24629,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ @@ -29282,6 +24665,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255135 | bool - low_complexity | bool @@ -29306,49 +24690,20 @@ - restrict_strategy - sshd_disable_gssapi_auth -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90797-2 - - CJIS-5.5.6 - - DISA-STIG-RHEL-09-255145 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_disable_rhosts - when: - - DISA_STIG_RHEL_09_255145 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_rhosts | bool - - name: Disable SSH Support for .rhosts Files block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter IgnoreRhosts is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29356,7 +24711,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ @@ -29364,7 +24719,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ @@ -29403,6 +24758,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255145 | bool - low_complexity | bool @@ -29430,54 +24786,20 @@ - restrict_strategy - sshd_disable_rhosts -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90800-4 - - CJIS-5.5.6 - - DISA-STIG-RHEL-09-255045 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(2) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-2 - - NIST-800-53-IA-2(5) - - PCI-DSS-Req-2.2.4 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_disable_root_login - when: - - DISA_STIG_RHEL_09_255045 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_root_login | bool - - name: Disable SSH Root Login block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter PermitRootLogin is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29485,7 +24807,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ @@ -29493,7 +24815,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ @@ -29537,6 +24859,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255045 | bool - low_complexity | bool @@ -29569,50 +24892,20 @@ - restrict_strategy - sshd_disable_root_login -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90803-8 - - CJIS-5.5.6 - - DISA-STIG-RHEL-09-255085 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-2.2.4 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_do_not_permit_user_env - when: - - DISA_STIG_RHEL_09_255085 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_do_not_permit_user_env | bool - - name: Do Not Allow SSH Environment Options block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter PermitUserEnvironment is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29620,7 +24913,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ @@ -29628,7 +24921,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ @@ -29668,6 +24961,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255085 | bool - low_complexity | bool @@ -29696,43 +24990,20 @@ - restrict_strategy - sshd_do_not_permit_user_env -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86722-6 - - DISA-STIG-RHEL-09-255050 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_enable_pam - when: - - DISA_STIG_RHEL_09_255050 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_enable_pam | bool - - name: Enable PAM block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter UsePAM is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29740,7 +25011,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+ @@ -29748,7 +25019,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+ @@ -29781,6 +25052,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255050 | bool - low_complexity | bool @@ -29802,45 +25074,20 @@ - restrict_strategy - sshd_enable_pam -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87979-1 - - CJIS-5.5.6 - - NIST-800-171-3.1.9 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-8(a) - - NIST-800-53-AC-8(c) - - NIST-800-53-CM-6(a) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_enable_warning_banner_net - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_enable_warning_banner_net | bool - - name: Enable SSH Warning Banner block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29848,7 +25095,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+ @@ -29856,7 +25103,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+ @@ -29891,6 +25138,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - low_complexity | bool - low_disruption | bool @@ -29914,41 +25162,20 @@ - restrict_strategy - sshd_enable_warning_banner_net -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86552-7 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_login_grace_time - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_login_grace_time | bool - - name: Ensure SSH LoginGraceTime is configured block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter LoginGraceTime is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -29956,7 +25183,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ @@ -29964,7 +25191,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ @@ -29995,6 +25222,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - low_complexity | bool - low_disruption | bool @@ -30014,47 +25242,20 @@ - restrict_strategy - sshd_set_login_grace_time -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86923-0 - - DISA-STIG-RHEL-09-255030 - - NIST-800-53-AC-17(1) - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-2.2.4 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_loglevel_verbose - when: - - DISA_STIG_RHEL_09_255030 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_loglevel_verbose | bool - - name: Set SSH Daemon LogLevel to VERBOSE block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter LogLevel is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -30062,7 +25263,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+ @@ -30070,7 +25271,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+ @@ -30107,6 +25308,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - DISA_STIG_RHEL_09_255030 | bool - low_complexity | bool @@ -30132,41 +25334,20 @@ - restrict_strategy - sshd_set_loglevel_verbose -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90810-3 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_max_auth_tries - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_max_auth_tries | bool - - name: Set SSH authentication attempt limit block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter MaxAuthTries is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -30174,7 +25355,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ @@ -30182,7 +25363,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ @@ -30213,6 +25394,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - low_complexity | bool - low_disruption | bool @@ -30232,41 +25414,20 @@ - restrict_strategy - sshd_set_max_auth_tries -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84103-1 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_max_sessions - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_max_sessions | bool - - name: Set SSH MaxSessions limit block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter MaxSessions is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -30274,7 +25435,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ @@ -30282,7 +25443,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ @@ -30313,6 +25474,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - low_complexity | bool - low_disruption | bool @@ -30332,41 +25494,20 @@ - restrict_strategy - sshd_set_max_sessions -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87872-8 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.6 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_maxstartups - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_maxstartups | bool - - name: Ensure SSH MaxStartups is configured block: - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter MaxStartups is present in /etc/ssh/sshd_config.d - find: + ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' @@ -30374,7 +25515,7 @@ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d - lineinfile: + ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ @@ -30382,7 +25523,7 @@ with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ @@ -30413,6 +25554,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' + state: touch when: - low_complexity | bool - low_disruption | bool @@ -30432,51 +25574,39 @@ - restrict_strategy - sshd_set_maxstartups -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86768-9 - - PCI-DSS-Req-2.3 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.7 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_use_strong_kex - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_use_strong_kex | bool - - name: Use Only Strong Key Exchange algorithms block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)(?i)^\s*KexAlgorithms\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - create: true - regexp: (?i)(?i)^\s*KexAlgorithms\s+ + create: false + regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config + - name: Check if /etc/ssh/sshd_config.d exists + ansible.builtin.stat: + path: /etc/ssh/sshd_config.d + register: _etc_ssh_sshd_config_d_exists + - name: Check if the parameter KexAlgorithms is present in /etc/ssh/sshd_config.d + ansible.builtin.find: + paths: /etc/ssh/sshd_config.d + recurse: 'yes' + follow: 'no' + contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ + register: _etc_ssh_sshd_config_d_has_parameter + when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir + - name: Remove parameter from files in /etc/ssh/sshd_config.d + ansible.builtin.lineinfile: + path: '{{ item.path }}' + create: false + regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ + state: absent + with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' + when: _etc_ssh_sshd_config_d_has_parameter.matched + - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true - regexp: (?i)(?i)^\s*KexAlgorithms\s+ + regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ line: KexAlgorithms {{ sshd_strong_kex }} state: present insertbefore: BOF @@ -30501,49 +25631,64 @@ - restrict_strategy - sshd_use_strong_kex -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86769-7 - - NIST-800-53-AC-17 (2) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_use_strong_macs +- name: Use Only Strong Key Exchange algorithms - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + mode: '0600' + state: touch when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_use_strong_macs | bool + - sshd_use_strong_kex | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86768-9 + - PCI-DSS-Req-2.3 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.7 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_use_strong_kex - name: Use Only Strong MACs block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)(?i)^\s*MACs\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - create: true - regexp: (?i)(?i)^\s*MACs\s+ + create: false + regexp: (?i)(?i)^\s*{{ "MACs"| regex_escape }}\s+ state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config + - name: Check if /etc/ssh/sshd_config.d exists + ansible.builtin.stat: + path: /etc/ssh/sshd_config.d + register: _etc_ssh_sshd_config_d_exists + - name: Check if the parameter MACs is present in /etc/ssh/sshd_config.d + ansible.builtin.find: + paths: /etc/ssh/sshd_config.d + recurse: 'yes' + follow: 'no' + contains: (?i)^\s*{{ "MACs"| regex_escape }}\s+ + register: _etc_ssh_sshd_config_d_has_parameter + when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir + - name: Remove parameter from files in /etc/ssh/sshd_config.d + ansible.builtin.lineinfile: + path: '{{ item.path }}' + create: false + regexp: (?i)(?i)^\s*{{ "MACs"| regex_escape }}\s+ + state: absent + with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' + when: _etc_ssh_sshd_config_d_has_parameter.matched + - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true - regexp: (?i)(?i)^\s*MACs\s+ + regexp: (?i)(?i)^\s*{{ "MACs"| regex_escape }}\s+ line: MACs {{ sshd_strong_macs }} state: present insertbefore: BOF @@ -30566,55 +25711,31 @@ - restrict_strategy - sshd_use_strong_macs -- name: 'Remove the X Windows Package Group: Ensure xorg-x11-server-common is removed' - ansible.builtin.package: - name: xorg-x11-server-common - state: absent - tags: - - CCE-84104-9 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_xorg-x11-server-common_removed +- name: Use Only Strong MACs - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + mode: '0600' + state: touch when: - - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - package_xorg_x11_server_common_removed | bool - -- name: Gather the package facts - package_facts: - manager: auto + - restrict_strategy | bool + - sshd_use_strong_macs | bool + - '"kernel" in ansible_facts.packages' tags: - - CCE-84105-6 - - DISA-STIG-RHEL-09-211030 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) + - CCE-86769-7 + - NIST-800-53-AC-17 (2) - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - - xwindows_runlevel_target - when: - - DISA_STIG_RHEL_09_211030 | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - xwindows_runlevel_target | bool + - sshd_use_strong_macs - name: Switch to multi-user runlevel - file: + ansible.builtin.file: src: /usr/lib/systemd/system/multi-user.target dest: /etc/systemd/system/default.target state: link @@ -30641,245 +25762,8 @@ - restrict_strategy - xwindows_runlevel_target -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86772-1 - - NIST-800-53-AC-7(a) - - NIST-800-53-AU-12(2) - - NIST-800-53-AU-14 - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-7(1) - - NIST-800-53-AU-7(2) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_audit-libs_installed - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_audit_libs_installed | bool - -- name: Ensure audit-libs is installed - package: - name: audit-libs - state: present - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_audit_libs_installed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86772-1 - - NIST-800-53-AC-7(a) - - NIST-800-53-AU-12(2) - - NIST-800-53-AU-14 - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-7(1) - - NIST-800-53-AU-7(2) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_audit-libs_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83649-4 - - DISA-STIG-RHEL-09-653010 - - NIST-800-53-AC-7(a) - - NIST-800-53-AU-12(2) - - NIST-800-53-AU-14 - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-7(1) - - NIST-800-53-AU-7(2) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.1 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_audit_installed - when: - - DISA_STIG_RHEL_09_653010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_audit_installed | bool - -- name: Ensure audit is installed - package: - name: audit - state: present - when: - - DISA_STIG_RHEL_09_653010 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_audit_installed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-83649-4 - - DISA-STIG-RHEL-09-653010 - - NIST-800-53-AC-7(a) - - NIST-800-53-AU-12(2) - - NIST-800-53-AU-14 - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-7(1) - - NIST-800-53-AU-7(2) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.1 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_audit_installed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90829-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-653015 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.2 - - NIST-800-171-3.3.6 - - NIST-800-53-AC-2(g) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-10 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-14(1) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-4(23) - - PCI-DSS-Req-10.1 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_auditd_enabled - when: - - DISA_STIG_RHEL_09_653015 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_auditd_enabled | bool - -- name: Enable auditd Service - Enable service auditd - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable auditd Service - Enable Service auditd - ansible.builtin.systemd: - name: auditd - enabled: true - state: started - masked: false - when: - - '"audit" in ansible_facts.packages' - when: - - DISA_STIG_RHEL_09_653015 | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_auditd_enabled | bool - - '"kernel" in ansible_facts.packages' - - '"audit" in ansible_facts.packages' - tags: - - CCE-90829-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-653015 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.2 - - NIST-800-171-3.3.6 - - NIST-800-53-AC-2(g) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-10 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-14(1) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-4(23) - - PCI-DSS-Req-10.1 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_auditd_enabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83651-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-212055 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - PCI-DSSv4-10.7 - - PCI-DSSv4-10.7.2 - - grub2_audit_argument - - low_disruption - - low_severity - - medium_complexity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_212055 | bool - - grub2_audit_argument | bool - - low_disruption | bool - - low_severity | bool - - medium_complexity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Update grub defaults and the bootloader menu - command: /sbin/grubby --update-kernel=ALL --args="audit=1" + ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit=1" when: - DISA_STIG_RHEL_09_212055 | bool - grub2_audit_argument | bool @@ -30910,32 +25794,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83652-8 - - DISA-STIG-RHEL-09-653120 - - NIST-800-53-CM-6(a) - - PCI-DSSv4-10.7 - - PCI-DSSv4-10.7.2 - - grub2_audit_backlog_limit_argument - - low_disruption - - low_severity - - medium_complexity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_653120 | bool - - grub2_audit_backlog_limit_argument | bool - - low_disruption | bool - - low_severity | bool - - medium_complexity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Update grub defaults and the bootloader menu - command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192" when: - DISA_STIG_RHEL_09_653120 | bool - grub2_audit_backlog_limit_argument | bool @@ -30959,37 +25819,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83716-1 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654275 - - NIST-800-171-3.3.1 - - NIST-800-171-3.4.3 - - NIST-800-53-AC-6(9) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.2 - - audit_rules_immutable - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654275 | bool - - audit_rules_immutable | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Collect all files from /etc/audit/rules.d with .rules extension - find: + ansible.builtin.find: paths: /etc/audit/rules.d/ patterns: '*.rules' register: find_rules_d @@ -31022,7 +25853,7 @@ - restrict_strategy - name: Remove the -e option from all Audit config files - lineinfile: + ansible.builtin.lineinfile: path: '{{ item }}' regexp: ^\s*(?:-e)\s+.*$ state: absent @@ -31056,7 +25887,7 @@ - restrict_strategy - name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: path: '{{ item }}' create: true line: -e 2 @@ -31092,36 +25923,9 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83721-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_mac_modification - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -31154,7 +25958,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls - Search /etc/audit/rules.d for other rules with specified key MAC-policy - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)MAC-policy$ patterns: '*.rules' @@ -31188,7 +25992,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls - Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/MAC-policy.rules when: @@ -31220,7 +26024,7 @@ - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -31252,7 +26056,7 @@ - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/selinux/ -p wa -k MAC-policy create: true @@ -31286,7 +26090,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -31318,7 +26122,7 @@ - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/selinux/ -p wa -k MAC-policy state: present dest: /etc/audit/audit.rules @@ -31351,33 +26155,9 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86343-1 - - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification_usr_share - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_mac_modification_usr_share | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -31407,7 +26187,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Search /etc/audit/rules.d for other rules with specified key MAC-policy - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)MAC-policy$ patterns: '*.rules' @@ -31438,7 +26218,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/MAC-policy.rules when: @@ -31468,7 +26248,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -31498,7 +26278,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/ in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /usr/share/selinux/ -p wa -k MAC-policy create: true @@ -31529,7 +26309,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -31559,7 +26339,7 @@ - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/ in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /usr/share/selinux/ -p wa -k MAC-policy state: present dest: /etc/audit/audit.rules @@ -31589,37 +26369,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83735-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.7 - - audit_rules_media_export - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit mount tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_media_export | bool @@ -31654,42 +26405,44 @@ - name: Perform remediation of Audit rules for mount for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules - set_fact: audit_file="/etc/audit/rules.d/export.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -31699,7 +26452,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true @@ -31707,25 +26460,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -31735,7 +26489,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true @@ -31773,42 +26527,44 @@ - name: Perform remediation of Audit rules for mount for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules - set_fact: audit_file="/etc/audit/rules.d/export.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -31818,7 +26574,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true @@ -31826,25 +26582,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -31854,7 +26611,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true @@ -31890,36 +26647,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83706-2 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_networkconfig_modification - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set architecture for audit tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_networkconfig_modification | bool @@ -31953,7 +26682,7 @@ - name: Remediate audit rules for network configuration for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - sethostname - setdomainname @@ -31961,37 +26690,39 @@ - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -32001,7 +26732,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true @@ -32009,7 +26740,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - sethostname - setdomainname @@ -32017,20 +26748,21 @@ - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -32040,7 +26772,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true @@ -32077,7 +26809,7 @@ - name: Remediate audit rules for network configuration for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - sethostname - setdomainname @@ -32085,37 +26817,39 @@ - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -32125,7 +26859,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true @@ -32133,7 +26867,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - sethostname - setdomainname @@ -32141,20 +26875,21 @@ - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -32164,7 +26899,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true @@ -32201,7 +26936,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -32235,7 +26970,7 @@ - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' @@ -32270,7 +27005,7 @@ - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: @@ -32303,7 +27038,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -32336,7 +27071,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification create: true @@ -32371,7 +27106,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -32404,7 +27139,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules @@ -32440,7 +27175,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -32474,7 +27209,7 @@ - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' @@ -32509,7 +27244,7 @@ - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: @@ -32542,7 +27277,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -32575,7 +27310,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification create: true @@ -32610,7 +27345,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -32643,7 +27378,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules @@ -32679,7 +27414,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -32713,7 +27448,7 @@ - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' @@ -32748,7 +27483,7 @@ - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: @@ -32781,7 +27516,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -32814,7 +27549,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification create: true @@ -32849,7 +27584,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -32882,7 +27617,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules @@ -32918,7 +27653,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -32952,7 +27687,7 @@ - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' @@ -32987,7 +27722,7 @@ - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: @@ -33020,7 +27755,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -33053,7 +27788,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification create: true @@ -33088,7 +27823,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -33121,7 +27856,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules @@ -33155,28 +27890,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86940-4 - - audit_rules_networkconfig_modification_network_scripts - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_networkconfig_modification_network_scripts | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -33201,7 +27917,7 @@ - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification_network_scripts - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_network_scripts$ patterns: '*.rules' @@ -33227,7 +27943,7 @@ - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules when: @@ -33251,7 +27967,7 @@ - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -33276,7 +27992,7 @@ - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts create: true @@ -33302,7 +28018,7 @@ - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -33327,7 +28043,7 @@ - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts state: present dest: /etc/audit/audit.rules @@ -33352,33 +28068,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86198-9 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(iv) - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events_btmp - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_session_events_btmp | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -33408,7 +28100,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information btmp - Search /etc/audit/rules.d for other rules with specified key session - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' @@ -33439,7 +28131,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information btmp - Use /etc/audit/rules.d/session.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/session.rules when: @@ -33469,7 +28161,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information btmp - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -33498,7 +28190,7 @@ - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/btmp -p wa -k session create: true @@ -33529,7 +28221,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -33558,7 +28250,7 @@ - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /var/log/btmp -p wa -k session state: present dest: /etc/audit/audit.rules @@ -33588,33 +28280,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86202-9 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(iv) - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events_utmp - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_session_events_utmp | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -33644,7 +28312,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information utmp - Search /etc/audit/rules.d for other rules with specified key session - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' @@ -33675,7 +28343,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information utmp - Use /etc/audit/rules.d/session.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/session.rules when: @@ -33705,7 +28373,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information utmp - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -33734,7 +28402,7 @@ - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/run/utmp -p wa -k session create: true @@ -33765,7 +28433,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -33794,7 +28462,7 @@ - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /var/run/utmp -p wa -k session state: present dest: /etc/audit/audit.rules @@ -33824,33 +28492,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86203-7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(iv) - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events_wtmp - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_session_events_wtmp | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -33880,7 +28524,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Search /etc/audit/rules.d for other rules with specified key session - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' @@ -33911,7 +28555,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use /etc/audit/rules.d/session.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/session.rules when: @@ -33941,7 +28585,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -33970,7 +28614,7 @@ - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/wtmp -p wa -k session create: true @@ -34001,7 +28645,7 @@ - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -34030,7 +28674,7 @@ - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /var/log/wtmp -p wa -k session state: present dest: /etc/audit/audit.rules @@ -34060,45 +28704,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86368-8 - - audit_rules_suid_auid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_suid_auid_privilege_function | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Service facts - ansible.builtin.service_facts: null - when: - - audit_rules_suid_auid_privilege_function | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86368-8 - - audit_rules_suid_auid_privilege_function - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - name: Check the rules script being used ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service register: check_rules_scripts_result @@ -34225,39 +28830,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83729-4 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.5 - - audit_rules_sysadmin_actions - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -34293,7 +28867,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/sudoers -p wa -k actions state: present dest: /etc/audit/audit.rules @@ -34331,7 +28905,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -34368,7 +28942,7 @@ - name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key actions - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)actions$ patterns: '*.rules' @@ -34406,7 +28980,7 @@ - name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/actions.rules when: @@ -34442,7 +29016,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -34478,7 +29052,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sudoers -p wa -k actions create: true @@ -34515,7 +29089,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -34551,7 +29125,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/sudoers.d/ -p wa -k actions state: present dest: /etc/audit/audit.rules @@ -34589,7 +29163,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -34626,7 +29200,7 @@ - name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key actions - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)actions$ patterns: '*.rules' @@ -34664,7 +29238,7 @@ - name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/actions.rules when: @@ -34700,7 +29274,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -34736,7 +29310,7 @@ - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sudoers.d/ -p wa -k actions create: true @@ -34772,41 +29346,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83722-9 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654225 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.5 - - audit_rules_usergroup_modification_group - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654225 | bool - - audit_rules_usergroup_modification_group | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -34844,7 +29386,7 @@ - name: Record Events that Modify User/Group Information - /etc/group - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' @@ -34883,7 +29425,7 @@ - name: Record Events that Modify User/Group Information - /etc/group - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: @@ -34920,7 +29462,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -34957,7 +29499,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/group -p wa -k audit_rules_usergroup_modification create: true @@ -34996,7 +29538,7 @@ - name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -35033,7 +29575,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/group -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules @@ -35071,41 +29613,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83723-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654230 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.5 - - audit_rules_usergroup_modification_gshadow - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654230 | bool - - audit_rules_usergroup_modification_gshadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -35143,7 +29653,7 @@ - name: Record Events that Modify User/Group Information - /etc/gshadow - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' @@ -35182,7 +29692,7 @@ - name: Record Events that Modify User/Group Information - /etc/gshadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: @@ -35219,7 +29729,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -35256,7 +29766,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification create: true @@ -35295,7 +29805,7 @@ - name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -35332,7 +29842,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules @@ -35370,41 +29880,186 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83712-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654235 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.5 - - audit_rules_usergroup_modification_opasswd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Check if watch rule for /etc/nsswitch.conf + already exists in /etc/audit/rules.d/ + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/nsswitch.conf\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - DISA_STIG_RHEL_09_654235 | bool - - audit_rules_usergroup_modification_opasswd | bool + - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86213-6 + - audit_rules_usergroup_modification_nsswitch_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Search /etc/audit/rules.d for other rules + with specified key audit_rules_usergroup_modification + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_usergroup_modification_nsswitch_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86213-6 + - audit_rules_usergroup_modification_nsswitch_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules + as the recipient for the rule + ansible.builtin.set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_usergroup_modification.rules + when: + - audit_rules_usergroup_modification_nsswitch_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86213-6 + - audit_rules_usergroup_modification_nsswitch_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Use matched file as the recipient for the + rule + ansible.builtin.set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_usergroup_modification_nsswitch_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86213-6 + - audit_rules_usergroup_modification_nsswitch_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Add watch rule for /etc/nsswitch.conf in /etc/audit/rules.d/ + ansible.builtin.lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/nsswitch.conf -p wa -k audit_rules_usergroup_modification + create: true + mode: '0600' + when: + - audit_rules_usergroup_modification_nsswitch_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86213-6 + - audit_rules_usergroup_modification_nsswitch_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Check if watch rule for /etc/nsswitch.conf + already exists in /etc/audit/audit.rules + ansible.builtin.find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/nsswitch.conf\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_usergroup_modification_nsswitch_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86213-6 + - audit_rules_usergroup_modification_nsswitch_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Add watch rule for /etc/nsswitch.conf in /etc/audit/audit.rules + ansible.builtin.lineinfile: + line: -w /etc/nsswitch.conf -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0600' + when: + - audit_rules_usergroup_modification_nsswitch_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-86213-6 + - audit_rules_usergroup_modification_nsswitch_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -35442,7 +30097,7 @@ - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' @@ -35481,7 +30136,7 @@ - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: @@ -35519,7 +30174,7 @@ - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -35557,7 +30212,7 @@ - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification create: true @@ -35596,7 +30251,7 @@ - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -35634,7 +30289,7 @@ - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules @@ -35672,41 +30327,361 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83714-6 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654240 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.5 - - audit_rules_usergroup_modification_passwd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +- name: Record Events that Modify User/Group Information - /etc/pam.conf - Check if watch rule for /etc/pam.conf already exists + in /etc/audit/rules.d/ + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/pam.conf\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - DISA_STIG_RHEL_09_654240 | bool - - audit_rules_usergroup_modification_passwd | bool + - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86212-8 + - audit_rules_usergroup_modification_pam_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.conf - Search /etc/audit/rules.d for other rules with + specified key audit_rules_usergroup_modification + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_usergroup_modification_pam_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86212-8 + - audit_rules_usergroup_modification_pam_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.conf - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules + as the recipient for the rule + ansible.builtin.set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_usergroup_modification.rules + when: + - audit_rules_usergroup_modification_pam_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86212-8 + - audit_rules_usergroup_modification_pam_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.conf - Use matched file as the recipient for the rule + ansible.builtin.set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_usergroup_modification_pam_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86212-8 + - audit_rules_usergroup_modification_pam_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.conf - Add watch rule for /etc/pam.conf in /etc/audit/rules.d/ + ansible.builtin.lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification + create: true + mode: '0600' + when: + - audit_rules_usergroup_modification_pam_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86212-8 + - audit_rules_usergroup_modification_pam_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.conf - Check if watch rule for /etc/pam.conf already exists + in /etc/audit/audit.rules + ansible.builtin.find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/pam.conf\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_usergroup_modification_pam_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86212-8 + - audit_rules_usergroup_modification_pam_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.conf - Add watch rule for /etc/pam.conf in /etc/audit/audit.rules + ansible.builtin.lineinfile: + line: -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0600' + when: + - audit_rules_usergroup_modification_pam_conf | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-86212-8 + - audit_rules_usergroup_modification_pam_conf + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Check if watch rule for /etc/pam.d/ already exists + in /etc/audit/rules.d/ + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/pam.d/\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_rules_usergroup_modification_pamd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86211-0 + - audit_rules_usergroup_modification_pamd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Search /etc/audit/rules.d for other rules with specified + key audit_rules_usergroup_modification + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_usergroup_modification_pamd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86211-0 + - audit_rules_usergroup_modification_pamd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules + as the recipient for the rule + ansible.builtin.set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_usergroup_modification.rules + when: + - audit_rules_usergroup_modification_pamd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86211-0 + - audit_rules_usergroup_modification_pamd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Use matched file as the recipient for the rule + ansible.builtin.set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_usergroup_modification_pamd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86211-0 + - audit_rules_usergroup_modification_pamd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Add watch rule for /etc/pam.d/ in /etc/audit/rules.d/ + ansible.builtin.lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/pam.d/ -p wa -k audit_rules_usergroup_modification + create: true + mode: '0600' + when: + - audit_rules_usergroup_modification_pamd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86211-0 + - audit_rules_usergroup_modification_pamd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Check if watch rule for /etc/pam.d/ already exists + in /etc/audit/audit.rules + ansible.builtin.find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/pam.d/\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_usergroup_modification_pamd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86211-0 + - audit_rules_usergroup_modification_pamd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Add watch rule for /etc/pam.d/ in /etc/audit/audit.rules + ansible.builtin.lineinfile: + line: -w /etc/pam.d/ -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0600' + when: + - audit_rules_usergroup_modification_pamd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-86211-0 + - audit_rules_usergroup_modification_pamd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -35744,7 +30719,7 @@ - name: Record Events that Modify User/Group Information - /etc/passwd - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification_passwd - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification_passwd$ patterns: '*.rules' @@ -35783,7 +30758,7 @@ - name: Record Events that Modify User/Group Information - /etc/passwd - Use /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules when: @@ -35820,7 +30795,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -35857,7 +30832,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd create: true @@ -35896,7 +30871,7 @@ - name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -35933,7 +30908,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd state: present dest: /etc/audit/audit.rules @@ -35971,41 +30946,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83725-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654245 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.5 - - audit_rules_usergroup_modification_shadow - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654245 | bool - - audit_rules_usergroup_modification_shadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -36043,7 +30986,7 @@ - name: Record Events that Modify User/Group Information - /etc/shadow - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' @@ -36082,7 +31025,7 @@ - name: Record Events that Modify User/Group Information - /etc/shadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: @@ -36119,7 +31062,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -36156,7 +31099,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification create: true @@ -36195,7 +31138,7 @@ - name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -36232,7 +31175,7 @@ - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules @@ -36270,32 +31213,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86433-0 - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_sudo_log_events - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_sudo_log_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -36324,7 +31243,7 @@ - restrict_strategy - name: Record Attempts to perform maintenance activities - Search /etc/audit/rules.d for other rules with specified key maintenance - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)maintenance$ patterns: '*.rules' @@ -36355,7 +31274,7 @@ - name: Record Attempts to perform maintenance activities - Use /etc/audit/rules.d/maintenance.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/maintenance.rules when: @@ -36384,7 +31303,7 @@ - restrict_strategy - name: Record Attempts to perform maintenance activities - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -36413,7 +31332,7 @@ - restrict_strategy - name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/sudo.log -p wa -k maintenance create: true @@ -36443,7 +31362,7 @@ - restrict_strategy - name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -36472,7 +31391,7 @@ - restrict_strategy - name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /var/log/sudo.log -p wa -k maintenance state: present dest: /etc/audit/audit.rules @@ -36502,29 +31421,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86446-2 - - DISA-STIG-RHEL-09-232104 - - configure_strategy - - file_groupownership_audit_configuration - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232104 | bool - - configure_strategy | bool - - file_groupownership_audit_configuration | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupownership_audit_configuration_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupownership_audit_configuration_newgroup: '0' when: - DISA_STIG_RHEL_09_232104 | bool @@ -36547,7 +31445,7 @@ - no_reboot_needed - name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ - command: find -L /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" + ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false @@ -36573,8 +31471,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false group: '{{ file_groupownership_audit_configuration_newgroup }}' state: file with_items: @@ -36600,7 +31499,7 @@ - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ - command: find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.rules$" + ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false @@ -36626,8 +31525,9 @@ - no_reboot_needed - name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false group: '{{ file_groupownership_audit_configuration_newgroup }}' state: file with_items: @@ -36652,29 +31552,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86445-4 - - DISA-STIG-RHEL-09-232103 - - configure_strategy - - file_ownership_audit_configuration - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_232103 | bool - - configure_strategy | bool - - file_ownership_audit_configuration | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_ownership_audit_configuration_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_ownership_audit_configuration_newown: '0' when: - DISA_STIG_RHEL_09_232103 | bool @@ -36697,7 +31576,7 @@ - no_reboot_needed - name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ - command: find -L /etc/audit/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" + ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false @@ -36723,8 +31602,9 @@ - no_reboot_needed - name: Ensure owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false owner: '{{ file_ownership_audit_configuration_newown }}' state: file with_items: @@ -36750,7 +31630,7 @@ - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ - command: find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.rules$" + ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false @@ -36776,8 +31656,9 @@ - no_reboot_needed - name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ - file: + ansible.builtin.file: path: '{{ item }}' + follow: false owner: '{{ file_ownership_audit_configuration_newown }}' state: file with_items: @@ -36802,30 +31683,9 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-88002-1 - - DISA-STIG-RHEL-09-653110 - - NIST-800-53-AU-12 b - - configure_strategy - - file_permissions_audit_configuration - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_653110 | bool - - configure_strategy | bool - - file_permissions_audit_configuration | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Find /etc/audit/ file(s) - command: find -L /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" + ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex + "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false @@ -36852,7 +31712,7 @@ - no_reboot_needed - name: Set permissions for /etc/audit/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xws,o-xwrt state: file @@ -36880,7 +31740,8 @@ - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) - command: find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*\.rules$" + ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended + -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false @@ -36907,7 +31768,7 @@ - no_reboot_needed - name: Set permissions for /etc/audit/rules.d/ file(s) - file: + ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xws,o-xwrt state: file @@ -36934,37 +31795,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83720-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-653090 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-6(1) - - NIST-800-53-AU-9(4) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.1 - - file_permissions_var_log_audit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_653090 | bool - - file_permissions_var_log_audit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Get audit log files - command: grep -iw ^log_file /etc/audit/auditd.conf + ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf failed_when: false register: log_file_exists when: @@ -36996,7 +31828,7 @@ - restrict_strategy - name: Parse log file line - command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf + ansible.builtin.command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf register: log_file_line when: - DISA_STIG_RHEL_09_653090 | bool @@ -37028,7 +31860,7 @@ - restrict_strategy - name: Set default log_file if not set - set_fact: + ansible.builtin.set_fact: log_file: /var/log/audit/audit.log when: - DISA_STIG_RHEL_09_653090 | bool @@ -37060,7 +31892,7 @@ - restrict_strategy - name: Set log_file from log_file_line if not set already - set_fact: + ansible.builtin.set_fact: log_file: '{{ log_file_line.stdout | trim }}' when: - DISA_STIG_RHEL_09_653090 | bool @@ -37092,7 +31924,7 @@ - restrict_strategy - name: Apply mode to log file - file: + ansible.builtin.file: path: '{{ log_file }}' mode: 384 failed_when: false @@ -37124,37 +31956,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83830-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654015 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_chmod - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654015 | bool - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit chmod tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654015 | bool @@ -37190,7 +31993,7 @@ - name: Perform remediation of Audit rules for chmod for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: @@ -37198,37 +32001,39 @@ - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37238,7 +32043,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37246,7 +32051,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: @@ -37254,20 +32059,21 @@ - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37277,7 +32083,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37316,7 +32122,7 @@ - name: Perform remediation of Audit rules for chmod for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: @@ -37324,37 +32130,39 @@ - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37364,7 +32172,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37372,7 +32180,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: @@ -37380,20 +32188,21 @@ - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37403,7 +32212,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37440,37 +32249,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83812-8 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654020 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_chown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654020 | bool - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit chown tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool @@ -37506,7 +32286,7 @@ - name: Perform remediation of Audit rules for chown for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chown syscall_grouping: @@ -37515,37 +32295,39 @@ - fchownat - lchown - name: Check existence of chown in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37555,7 +32337,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37563,7 +32345,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chown syscall_grouping: @@ -37572,20 +32354,21 @@ - fchownat - lchown - name: Check existence of chown in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37595,7 +32378,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37634,7 +32417,7 @@ - name: Perform remediation of Audit rules for chown for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chown syscall_grouping: @@ -37643,37 +32426,39 @@ - fchownat - lchown - name: Check existence of chown in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37683,7 +32468,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37691,7 +32476,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - chown syscall_grouping: @@ -37700,20 +32485,21 @@ - fchownat - lchown - name: Check existence of chown in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37723,7 +32509,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37760,37 +32546,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83832-6 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654015 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fchmod - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654015 | bool - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit fchmod tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654015 | bool @@ -37825,7 +32582,7 @@ - name: Perform remediation of Audit rules for fchmod for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: @@ -37833,37 +32590,39 @@ - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37873,7 +32632,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37881,7 +32640,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: @@ -37889,20 +32648,21 @@ - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37912,7 +32672,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -37950,7 +32710,7 @@ - name: Perform remediation of Audit rules for fchmod for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: @@ -37958,37 +32718,39 @@ - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -37998,7 +32760,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38006,7 +32768,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: @@ -38014,20 +32776,21 @@ - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38037,7 +32800,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38073,37 +32836,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83822-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654015 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fchmodat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654015 | bool - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit fchmodat tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654015 | bool @@ -38138,7 +32872,7 @@ - name: Perform remediation of Audit rules for fchmodat for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: @@ -38146,37 +32880,39 @@ - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38186,7 +32922,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38194,7 +32930,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: @@ -38202,20 +32938,21 @@ - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38225,7 +32962,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38263,7 +33000,7 @@ - name: Perform remediation of Audit rules for fchmodat for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: @@ -38271,37 +33008,39 @@ - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38311,7 +33050,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38319,7 +33058,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: @@ -38327,20 +33066,21 @@ - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38350,7 +33090,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38386,37 +33126,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83829-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654020 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fchown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654020 | bool - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit fchown tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool @@ -38451,7 +33162,7 @@ - name: Perform remediation of Audit rules for fchown for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: @@ -38460,37 +33171,39 @@ - fchownat - lchown - name: Check existence of fchown in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38500,7 +33213,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38508,7 +33221,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: @@ -38517,20 +33230,21 @@ - fchownat - lchown - name: Check existence of fchown in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38540,7 +33254,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38578,7 +33292,7 @@ - name: Perform remediation of Audit rules for fchown for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: @@ -38587,37 +33301,39 @@ - fchownat - lchown - name: Check existence of fchown in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38627,7 +33343,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38635,7 +33351,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: @@ -38644,20 +33360,21 @@ - fchownat - lchown - name: Check existence of fchown in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38667,7 +33384,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38703,37 +33420,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83831-8 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654020 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fchownat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654020 | bool - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit fchownat tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool @@ -38768,7 +33456,7 @@ - name: Perform remediation of Audit rules for fchownat for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: @@ -38777,37 +33465,39 @@ - fchownat - lchown - name: Check existence of fchownat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38817,7 +33507,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38825,7 +33515,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: @@ -38834,20 +33524,21 @@ - fchownat - lchown - name: Check existence of fchownat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38857,7 +33548,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38895,7 +33586,7 @@ - name: Perform remediation of Audit rules for fchownat for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: @@ -38904,37 +33595,39 @@ - fchownat - lchown - name: Check existence of fchownat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38944,7 +33637,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -38952,7 +33645,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: @@ -38961,20 +33654,21 @@ - fchownat - lchown - name: Check existence of fchownat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -38984,7 +33678,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39020,37 +33714,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83821-9 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654025 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fremovexattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654025 | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit fremovexattr tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool @@ -39085,7 +33750,7 @@ - name: Perform remediation of Audit rules for fremovexattr for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39096,37 +33761,39 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39136,7 +33803,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39144,7 +33811,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39155,20 +33822,21 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39178,7 +33846,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39186,7 +33854,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39197,37 +33865,39 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -39237,7 +33907,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -39245,7 +33915,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39256,20 +33926,21 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -39279,7 +33950,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -39317,7 +33988,7 @@ - name: Perform remediation of Audit rules for fremovexattr for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39328,37 +33999,39 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39368,7 +34041,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39376,7 +34049,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39387,20 +34060,21 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39410,7 +34084,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39418,7 +34092,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39429,37 +34103,39 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -39469,7 +34145,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -39477,7 +34153,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: @@ -39488,20 +34164,21 @@ - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -39511,7 +34188,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -39547,37 +34224,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83817-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654025 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_fsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654025 | bool - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit fsetxattr tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool @@ -39612,7 +34260,7 @@ - name: Perform remediation of Audit rules for fsetxattr for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -39623,37 +34271,39 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39663,7 +34313,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39671,7 +34321,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -39682,20 +34332,21 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39705,7 +34356,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39713,7 +34364,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -39724,37 +34375,39 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -39764,7 +34417,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -39772,7 +34425,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -39783,20 +34436,21 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -39806,7 +34460,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -39844,7 +34498,7 @@ - name: Perform remediation of Audit rules for fsetxattr for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -39855,37 +34509,39 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39895,7 +34551,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39903,7 +34559,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -39914,20 +34570,21 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -39937,7 +34594,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -39945,7 +34602,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -39956,37 +34613,39 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -39996,7 +34655,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -40004,7 +34663,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: @@ -40015,20 +34674,21 @@ - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -40038,7 +34698,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -40074,37 +34734,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83833-4 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654020 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_lchown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654020 | bool - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit lchown tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool @@ -40140,7 +34771,7 @@ - name: Perform remediation of Audit rules for lchown for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: @@ -40149,37 +34780,39 @@ - fchownat - lchown - name: Check existence of lchown in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40189,7 +34822,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40197,7 +34830,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: @@ -40206,20 +34839,21 @@ - fchownat - lchown - name: Check existence of lchown in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40229,7 +34863,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40268,7 +34902,7 @@ - name: Perform remediation of Audit rules for lchown for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: @@ -40277,37 +34911,39 @@ - fchownat - lchown - name: Check existence of lchown in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40317,7 +34953,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40325,7 +34961,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: @@ -40334,20 +34970,21 @@ - fchownat - lchown - name: Check existence of lchown in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40357,7 +34994,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40394,37 +35031,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83814-4 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654025 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_lremovexattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654025 | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit lremovexattr tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool @@ -40459,7 +35067,7 @@ - name: Perform remediation of Audit rules for lremovexattr for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40470,37 +35078,39 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40510,7 +35120,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40518,7 +35128,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40529,20 +35139,21 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40552,7 +35163,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40560,7 +35171,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40571,37 +35182,39 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -40611,7 +35224,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -40619,7 +35232,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40630,20 +35243,21 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -40653,7 +35267,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -40691,7 +35305,7 @@ - name: Perform remediation of Audit rules for lremovexattr for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40702,37 +35316,39 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40742,7 +35358,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40750,7 +35366,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40761,20 +35377,21 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -40784,7 +35401,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -40792,7 +35409,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40803,37 +35420,39 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -40843,7 +35462,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -40851,7 +35470,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: @@ -40862,20 +35481,21 @@ - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -40885,7 +35505,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -40921,37 +35541,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83808-6 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654025 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_lsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654025 | bool - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit lsetxattr tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool @@ -40986,7 +35577,7 @@ - name: Perform remediation of Audit rules for lsetxattr for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -40997,37 +35588,39 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41037,7 +35630,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41045,7 +35638,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -41056,20 +35649,21 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41079,7 +35673,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41087,7 +35681,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -41098,37 +35692,39 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41138,7 +35734,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41146,7 +35742,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -41157,20 +35753,21 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41180,7 +35777,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41218,7 +35815,7 @@ - name: Perform remediation of Audit rules for lsetxattr for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -41229,37 +35826,39 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41269,7 +35868,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41277,7 +35876,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -41288,20 +35887,21 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41311,7 +35911,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41319,7 +35919,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -41330,37 +35930,39 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41370,7 +35972,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41378,7 +35980,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: @@ -41389,20 +35991,21 @@ - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41412,7 +36015,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41448,37 +36051,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83807-8 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654025 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_removexattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654025 | bool - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit removexattr tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool @@ -41513,7 +36087,7 @@ - name: Perform remediation of Audit rules for removexattr for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41524,37 +36098,39 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41564,7 +36140,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41572,7 +36148,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41583,20 +36159,21 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41606,7 +36183,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41614,7 +36191,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41625,37 +36202,39 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41665,7 +36244,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41673,7 +36252,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41684,20 +36263,21 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41707,7 +36287,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41745,7 +36325,7 @@ - name: Perform remediation of Audit rules for removexattr for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41756,37 +36336,39 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41796,7 +36378,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41804,7 +36386,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41815,20 +36397,21 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -41838,7 +36421,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -41846,7 +36429,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41857,37 +36440,39 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41897,7 +36482,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41905,7 +36490,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: @@ -41916,20 +36501,21 @@ - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -41939,7 +36525,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -41975,37 +36561,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83811-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-654025 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - PCI-DSSv4-10.3 - - PCI-DSSv4-10.3.4 - - audit_rules_dac_modification_setxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654025 | bool - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit setxattr tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool @@ -42040,7 +36597,7 @@ - name: Perform remediation of Audit rules for setxattr for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42051,37 +36608,39 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42091,7 +36650,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -42099,7 +36658,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42110,20 +36669,21 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42133,7 +36693,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -42141,7 +36701,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42152,37 +36712,39 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -42192,7 +36754,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -42200,7 +36762,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42211,20 +36773,21 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -42234,7 +36797,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -42272,7 +36835,7 @@ - name: Perform remediation of Audit rules for setxattr for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42283,37 +36846,39 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42323,7 +36888,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -42331,7 +36896,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42342,20 +36907,21 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42365,7 +36931,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true @@ -42373,7 +36939,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42384,37 +36950,39 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -42424,7 +36992,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -42432,7 +37000,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: @@ -42443,20 +37011,21 @@ - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) @@ -42466,7 +37035,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true @@ -42502,35 +37071,14 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87685-4 - - DISA-STIG-RHEL-09-654035 - - audit_rules_execution_chacl - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654035 | bool - - audit_rules_execution_chacl | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Any Attempts to Run chacl - Perform remediation of Audit rules for /usr/bin/chacl block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -42538,30 +37086,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42571,7 +37121,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -42579,11 +37129,11 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -42591,13 +37141,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42607,7 +37158,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -42634,35 +37185,14 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90482-1 - - DISA-STIG-RHEL-09-654040 - - audit_rules_execution_setfacl - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654040 | bool - - audit_rules_execution_setfacl | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Any Attempts to Run setfacl - Perform remediation of Audit rules for /usr/bin/setfacl block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -42670,30 +37200,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42703,7 +37235,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -42711,11 +37243,11 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -42723,13 +37255,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42739,7 +37272,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -42766,40 +37299,14 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83748-4 - - DISA-STIG-RHEL-09-654045 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_execution_chcon - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654045 | bool - - audit_rules_execution_chcon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Any Attempts to Run chcon - Perform remediation of Audit rules for /usr/bin/chcon block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -42807,30 +37314,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42840,7 +37349,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -42848,11 +37357,11 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -42860,13 +37369,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -42876,7 +37386,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -42908,37 +37418,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83754-2 - - DISA-STIG-RHEL-09-654065 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.7 - - audit_rules_file_deletion_events_rename - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654065 | bool - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit rename tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool @@ -42974,7 +37455,7 @@ - name: Perform remediation of Audit rules for rename for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - rename syscall_grouping: @@ -42985,37 +37466,39 @@ - renameat2 - rmdir - name: Check existence of rename in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43025,7 +37508,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43033,7 +37516,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - rename syscall_grouping: @@ -43044,20 +37527,21 @@ - renameat2 - rmdir - name: Check existence of rename in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43067,7 +37551,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43106,7 +37590,7 @@ - name: Perform remediation of Audit rules for rename for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - rename syscall_grouping: @@ -43117,37 +37601,39 @@ - renameat2 - rmdir - name: Check existence of rename in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43157,7 +37643,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43165,7 +37651,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - rename syscall_grouping: @@ -43176,20 +37662,21 @@ - renameat2 - rmdir - name: Check existence of rename in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43199,7 +37686,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43236,37 +37723,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83756-7 - - DISA-STIG-RHEL-09-654065 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.7 - - audit_rules_file_deletion_events_renameat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654065 | bool - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit renameat tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool @@ -43301,7 +37759,7 @@ - name: Perform remediation of Audit rules for renameat for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: @@ -43312,37 +37770,39 @@ - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43352,7 +37812,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43360,7 +37820,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: @@ -43371,20 +37831,21 @@ - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43394,7 +37855,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43432,7 +37893,7 @@ - name: Perform remediation of Audit rules for renameat for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: @@ -43443,37 +37904,39 @@ - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43483,7 +37946,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43491,7 +37954,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: @@ -43502,20 +37965,21 @@ - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43525,7 +37989,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43561,37 +38025,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83757-5 - - DISA-STIG-RHEL-09-654065 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.7 - - audit_rules_file_deletion_events_unlink - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654065 | bool - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit unlink tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool @@ -43627,7 +38062,7 @@ - name: Perform remediation of Audit rules for unlink for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: @@ -43638,37 +38073,39 @@ - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43678,7 +38115,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43686,7 +38123,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: @@ -43697,20 +38134,21 @@ - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43720,7 +38158,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43759,7 +38197,7 @@ - name: Perform remediation of Audit rules for unlink for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: @@ -43770,37 +38208,39 @@ - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43810,7 +38250,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43818,7 +38258,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: @@ -43829,20 +38269,21 @@ - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -43852,7 +38293,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -43889,37 +38330,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83755-9 - - DISA-STIG-RHEL-09-654065 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.7 - - audit_rules_file_deletion_events_unlinkat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654065 | bool - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit unlinkat tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool @@ -43954,7 +38366,7 @@ - name: Perform remediation of Audit rules for unlinkat for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: @@ -43965,37 +38377,39 @@ - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44005,7 +38419,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -44013,7 +38427,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: @@ -44024,20 +38438,21 @@ - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44047,7 +38462,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -44085,7 +38500,7 @@ - name: Perform remediation of Audit rules for unlinkat for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: @@ -44096,37 +38511,39 @@ - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules - set_fact: audit_file="/etc/audit/rules.d/delete.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44136,7 +38553,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -44144,7 +38561,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: @@ -44155,20 +38572,21 @@ - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44178,7 +38596,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true @@ -44214,35 +38632,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83786-4 - - DISA-STIG-RHEL-09-654070 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654070 | bool - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit creat tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool @@ -44276,7 +38667,7 @@ - name: Perform remediation of Audit rules for creat EACCES for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44287,7 +38678,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44295,30 +38686,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44328,7 +38721,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44336,7 +38729,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44347,7 +38740,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44355,13 +38748,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44371,7 +38765,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44408,7 +38802,7 @@ - name: Perform remediation of Audit rules for creat EACCES for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44419,7 +38813,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44427,30 +38821,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44460,7 +38856,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44468,7 +38864,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44479,7 +38875,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44487,13 +38883,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44503,7 +38900,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44541,7 +38938,7 @@ - name: Perform remediation of Audit rules for creat EPERM for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44552,7 +38949,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44560,30 +38957,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44593,7 +38992,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44601,7 +39000,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44612,7 +39011,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44620,13 +39019,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44636,7 +39036,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44673,7 +39073,7 @@ - name: Perform remediation of Audit rules for creat EPERM for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44684,7 +39084,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44692,30 +39092,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44725,7 +39127,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44733,7 +39135,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - creat syscall_grouping: @@ -44744,7 +39146,7 @@ - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44752,13 +39154,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44768,7 +39171,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44803,35 +39206,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83800-3 - - DISA-STIG-RHEL-09-654070 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654070 | bool - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit ftruncate tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool @@ -44864,7 +39240,7 @@ - name: Perform remediation of Audit rules for ftruncate EACCES for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -44875,7 +39251,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44883,30 +39259,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44916,7 +39294,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44924,7 +39302,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -44935,7 +39313,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -44943,13 +39321,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -44959,7 +39338,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -44995,7 +39374,7 @@ - name: Perform remediation of Audit rules for ftruncate EACCES for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -45006,7 +39385,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45014,30 +39393,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45047,7 +39428,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45055,7 +39436,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -45066,7 +39447,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45074,13 +39455,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45090,7 +39472,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45127,7 +39509,7 @@ - name: Perform remediation of Audit rules for ftruncate EPERM for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -45138,7 +39520,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45146,30 +39528,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45179,7 +39563,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45187,7 +39571,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -45198,7 +39582,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45206,13 +39590,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45222,7 +39607,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45258,7 +39643,7 @@ - name: Perform remediation of Audit rules for ftruncate EPERM for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -45269,7 +39654,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45277,30 +39662,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45310,7 +39697,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45318,7 +39705,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: @@ -45329,7 +39716,7 @@ - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45337,13 +39724,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45353,7 +39741,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45387,35 +39775,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83801-1 - - DISA-STIG-RHEL-09-654070 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654070 | bool - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit open tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool @@ -45449,7 +39810,7 @@ - name: Perform remediation of Audit rules for open EACCES for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45460,7 +39821,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45468,30 +39829,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45501,7 +39864,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45509,7 +39872,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45520,7 +39883,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45528,13 +39891,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45544,7 +39908,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45581,7 +39945,7 @@ - name: Perform remediation of Audit rules for open EACCES for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45592,7 +39956,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45600,30 +39964,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45633,7 +39999,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45641,7 +40007,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45652,7 +40018,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45660,13 +40026,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45676,7 +40043,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45714,7 +40081,7 @@ - name: Perform remediation of Audit rules for open EPERM for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45725,7 +40092,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45733,30 +40100,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45766,7 +40135,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45774,7 +40143,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45785,7 +40154,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45793,13 +40162,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45809,7 +40179,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45846,7 +40216,7 @@ - name: Perform remediation of Audit rules for open EPERM for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45857,7 +40227,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45865,30 +40235,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45898,7 +40270,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45906,7 +40278,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - open syscall_grouping: @@ -45917,7 +40289,7 @@ - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -45925,13 +40297,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -45941,7 +40314,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -45976,35 +40349,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83794-8 - - DISA-STIG-RHEL-09-654070 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654070 | bool - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit openat tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool @@ -46037,7 +40383,7 @@ - name: Perform remediation of Audit rules for openat EACCES for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46048,7 +40394,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46056,30 +40402,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46089,7 +40437,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46097,7 +40445,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46108,7 +40456,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46116,13 +40464,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46132,7 +40481,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46168,7 +40517,7 @@ - name: Perform remediation of Audit rules for openat EACCES for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46179,7 +40528,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46187,30 +40536,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46220,7 +40571,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46228,7 +40579,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46239,7 +40590,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46247,13 +40598,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46263,7 +40615,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46300,7 +40652,7 @@ - name: Perform remediation of Audit rules for openat EPERM for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46311,7 +40663,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46319,30 +40671,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46352,7 +40706,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46360,7 +40714,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46371,7 +40725,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46379,13 +40733,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46395,7 +40750,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46431,7 +40786,7 @@ - name: Perform remediation of Audit rules for openat EPERM for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46442,7 +40797,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46450,30 +40805,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46483,7 +40840,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46491,7 +40848,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - openat syscall_grouping: @@ -46502,7 +40859,7 @@ - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46510,13 +40867,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46526,7 +40884,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46560,35 +40918,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83792-2 - - DISA-STIG-RHEL-09-654070 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654070 | bool - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - name: Set architecture for audit truncate tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool @@ -46621,7 +40952,7 @@ - name: Perform remediation of Audit rules for truncate EACCES for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -46632,7 +40963,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46640,30 +40971,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46673,7 +41006,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46681,7 +41014,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -46692,7 +41025,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46700,13 +41033,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46716,7 +41050,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46752,7 +41086,7 @@ - name: Perform remediation of Audit rules for truncate EACCES for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -46763,7 +41097,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46771,30 +41105,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46804,7 +41140,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46812,7 +41148,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -46823,7 +41159,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46831,13 +41167,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46847,7 +41184,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46884,7 +41221,7 @@ - name: Perform remediation of Audit rules for truncate EPERM for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -46895,7 +41232,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46903,30 +41240,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46936,7 +41275,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -46944,7 +41283,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -46955,7 +41294,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -46963,13 +41302,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -46979,7 +41319,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -47015,7 +41355,7 @@ - name: Perform remediation of Audit rules for truncate EPERM for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -47026,7 +41366,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -47034,30 +41374,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules - set_fact: audit_file="/etc/audit/rules.d/access.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47067,7 +41409,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -47075,7 +41417,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: @@ -47086,7 +41428,7 @@ - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -47094,13 +41436,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47110,7 +41453,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true @@ -47144,27 +41487,8 @@ - reboot_required - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-88436-1 - - audit_rules_kernel_module_loading_create - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - audit_rules_kernel_module_loading_create | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set architecture for audit finit_module tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_kernel_module_loading_create | bool @@ -47190,42 +41514,44 @@ - name: Perform remediation of Audit rules for finit_module for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: [] - name: Check existence of create_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -47235,7 +41561,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change create: true @@ -47243,25 +41569,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: [] - name: Check existence of create_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -47271,7 +41598,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change create: true @@ -47300,42 +41627,44 @@ - name: Perform remediation of Audit rules for finit_module for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: [] - name: Check existence of create_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -47345,7 +41674,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change create: true @@ -47353,25 +41682,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: [] - name: Check existence of create_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -47381,7 +41711,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change create: true @@ -47408,35 +41738,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83802-9 - - DISA-STIG-RHEL-09-654075 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_654075 | bool - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set architecture for audit delete_module tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654075 | bool @@ -47469,42 +41772,44 @@ - name: Perform remediation of Audit rules for delete_module for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: [] - name: Check existence of delete_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47514,7 +41819,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -47522,25 +41827,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: [] - name: Check existence of delete_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47550,7 +41856,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -47586,42 +41892,44 @@ - name: Perform remediation of Audit rules for delete_module for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: [] - name: Check existence of delete_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47631,7 +41939,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -47639,25 +41947,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: [] - name: Check existence of delete_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47667,7 +41976,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -47701,35 +42010,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83803-7 - - DISA-STIG-RHEL-09-654080 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_finit - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_654080 | bool - - audit_rules_kernel_module_loading_finit | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set architecture for audit finit_module tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654080 | bool @@ -47762,44 +42044,46 @@ - name: Perform remediation of Audit rules for finit_module for x86 platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - init_module - finit_module - name: Check existence of finit_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47809,7 +42093,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -47817,27 +42101,28 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - init_module - finit_module - name: Check existence of finit_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47847,7 +42132,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -47883,44 +42168,46 @@ - name: Perform remediation of Audit rules for finit_module for x86_64 platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - init_module - finit_module - name: Check existence of finit_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47930,7 +42217,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -47938,27 +42225,28 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - init_module - finit_module - name: Check existence of finit_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -47968,7 +42256,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48002,35 +42290,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90835-0 - - DISA-STIG-RHEL-09-654080 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - DISA_STIG_RHEL_09_654080 | bool - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set architecture for audit init_module tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654080 | bool @@ -48063,44 +42324,46 @@ - name: Perform remediation of Audit rules for init_module for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - init_module - finit_module - name: Check existence of init_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48110,7 +42373,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48118,27 +42381,28 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - init_module - finit_module - name: Check existence of init_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48148,7 +42412,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48184,44 +42448,46 @@ - name: Perform remediation of Audit rules for init_module for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - init_module - finit_module - name: Check existence of init_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48231,7 +42497,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48239,27 +42505,28 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - init_module - finit_module - name: Check existence of init_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48269,7 +42536,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48303,27 +42570,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-88749-7 - - audit_rules_kernel_module_loading_query - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - audit_rules_kernel_module_loading_query | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set architecture for audit query_module tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_kernel_module_loading_query | bool @@ -48349,44 +42597,46 @@ - name: Perform remediation of Audit rules for query_module for x86 platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - init_module - query_module - name: Check existence of query_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48396,7 +42646,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48404,27 +42654,28 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - init_module - query_module - name: Check existence of query_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48434,7 +42685,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48463,44 +42714,46 @@ - name: Perform remediation of Audit rules for query_module for x86_64 platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - init_module - query_module - name: Check existence of query_module in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48510,7 +42763,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48518,27 +42771,28 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - init_module - query_module - name: Check existence of query_module in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -48548,7 +42802,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change create: true @@ -48575,39 +42829,9 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83783-1 - - DISA-STIG-RHEL-09-654250 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_login_events_faillock - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654250 | bool - - audit_rules_login_events_faillock | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -48643,7 +42867,7 @@ - name: Record Attempts to Alter Logon and Logout Events - faillock - Search /etc/audit/rules.d for other rules with specified key logins - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)logins$ patterns: '*.rules' @@ -48680,7 +42904,7 @@ - name: Record Attempts to Alter Logon and Logout Events - faillock - Use /etc/audit/rules.d/logins.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/logins.rules when: @@ -48715,7 +42939,7 @@ - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - faillock - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -48751,7 +42975,7 @@ - name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins create: true @@ -48788,7 +43012,7 @@ - name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -48824,7 +43048,7 @@ - name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins state: present dest: /etc/audit/audit.rules @@ -48860,39 +43084,9 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83785-6 - - DISA-STIG-RHEL-09-654255 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_login_events_lastlog - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654255 | bool - - audit_rules_login_events_lastlog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -48928,7 +43122,7 @@ - name: Record Attempts to Alter Logon and Logout Events - lastlog - Search /etc/audit/rules.d for other rules with specified key logins - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)logins$ patterns: '*.rules' @@ -48965,7 +43159,7 @@ - name: Record Attempts to Alter Logon and Logout Events - lastlog - Use /etc/audit/rules.d/logins.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/logins.rules when: @@ -49000,7 +43194,7 @@ - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -49035,7 +43229,7 @@ - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/lastlog -p wa -k logins create: true @@ -49072,7 +43266,7 @@ - name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -49107,7 +43301,7 @@ - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /var/log/lastlog -p wa -k logins state: present dest: /etc/audit/audit.rules @@ -49143,33 +43337,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83759-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - audit_rules_privileged_commands | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Ensure auditd Collects Information on the Use of Privileged Commands - Set List of Mount Points Which Permits Execution of Privileged Commands ansible.builtin.set_fact: @@ -49334,42 +43501,15 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90262-7 - - DISA-STIG-RHEL-09-654105 - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv)AU-12(c) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_kmod - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654105 | bool - - audit_rules_privileged_commands_kmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure auditd Collects Information on the Use of Privileged Commands - kmod - Perform remediation of Audit rules for /usr/bin/kmod block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -49377,30 +43517,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -49410,7 +43552,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -49418,11 +43560,11 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -49430,13 +43572,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -49446,7 +43589,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -49479,36 +43622,15 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-87212-7 - - DISA-STIG-RHEL-09-654175 - - audit_rules_privileged_commands_usermod - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_654175 | bool - - audit_rules_privileged_commands_usermod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure auditd Collects Information on the Use of Privileged Commands - usermod - Perform remediation of Audit rules for /usr/sbin/usermod block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -49516,30 +43638,32 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules - set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -49549,7 +43673,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -49557,11 +43681,11 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ @@ -49569,13 +43693,14 @@ register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) @@ -49585,7 +43710,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true @@ -49612,36 +43737,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83840-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.3 - - audit_rules_time_adjtimex - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_time_adjtimex | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set architecture for audit tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_time_adjtimex | bool @@ -49675,7 +43772,7 @@ - name: Perform remediation of Audit rules for adjtimex for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: @@ -49683,37 +43780,39 @@ - settimeofday - stime - name: Check existence of adjtimex in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -49723,7 +43822,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -49731,7 +43830,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: @@ -49739,20 +43838,21 @@ - settimeofday - stime - name: Check existence of adjtimex in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -49762,7 +43862,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -49799,44 +43899,46 @@ - name: Perform remediation of Audit rules for adjtimex for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: - adjtimex - settimeofday - name: Check existence of adjtimex in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -49846,7 +43948,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -49854,7 +43956,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: @@ -49862,20 +43964,21 @@ - settimeofday - stime - name: Check existence of adjtimex in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -49885,7 +43988,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -49920,36 +44023,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83837-5 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.3 - - audit_rules_time_clock_settime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_time_clock_settime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set architecture for audit tasks - set_fact: + ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_time_clock_settime | bool @@ -49983,42 +44058,44 @@ - name: Perform remediation of Audit rules for clock_settime for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules - set_fact: audit_file="/etc/audit/rules.d/time-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) @@ -50028,7 +44105,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true @@ -50036,25 +44113,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) @@ -50064,7 +44142,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true @@ -50101,42 +44179,44 @@ - name: Perform remediation of Audit rules for clock_settime for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules - set_fact: audit_file="/etc/audit/rules.d/time-change.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) @@ -50146,7 +44226,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true @@ -50154,25 +44234,26 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) @@ -50182,7 +44263,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true @@ -50217,34 +44298,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83836-7 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.3 - - audit_rules_time_settimeofday - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_time_settimeofday | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Set architecture for audit tasks set_fact: audit_arch: b64 @@ -50280,7 +44333,7 @@ - name: Perform remediation of Audit rules for settimeofday for 32bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: @@ -50288,37 +44341,39 @@ - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -50328,7 +44383,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -50336,7 +44391,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: @@ -50344,20 +44399,21 @@ - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -50367,7 +44423,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -50404,7 +44460,7 @@ - name: Perform remediation of Audit rules for settimeofday for 64bit platform block: - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: @@ -50412,37 +44468,39 @@ - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file - set_fact: + ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file - set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found - set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') + | list }}" - name: Count occurrences of syscalls in paths - set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls - set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules - set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -50452,7 +44510,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -50460,7 +44518,7 @@ state: present when: syscalls_found | length == 0 - name: Declare list of syscalls - set_fact: + ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: @@ -50468,20 +44526,21 @@ - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules - set_fact: audit_file="/etc/audit/audit.rules" + ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls - set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list + }}" - name: Declare missing syscalls - set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) @@ -50491,7 +44550,7 @@ mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} - lineinfile: + ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true @@ -50526,36 +44585,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83839-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - PCI-DSSv4-10.6 - - PCI-DSSv4-10.6.3 - - audit_rules_time_watch_localtime - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ patterns: '*.rules' @@ -50588,7 +44619,7 @@ - restrict_strategy - name: Record Attempts to Alter the localtime File - Search /etc/audit/rules.d for other rules with specified key audit_time_rules - find: + ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ patterns: '*.rules' @@ -50623,7 +44654,7 @@ - name: Record Attempts to Alter the localtime File - Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_time_rules.rules when: @@ -50656,7 +44687,7 @@ - restrict_strategy - name: Record Attempts to Alter the localtime File - Use matched file as the recipient for the rule - set_fact: + ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: @@ -50689,7 +44720,7 @@ - restrict_strategy - name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/rules.d/ - lineinfile: + ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/localtime -p wa -k audit_time_rules create: true @@ -50723,7 +44754,7 @@ - restrict_strategy - name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules - find: + ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ patterns: audit.rules @@ -50756,7 +44787,7 @@ - restrict_strategy - name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/audit.rules - lineinfile: + ansible.builtin.lineinfile: line: -w /etc/localtime -p wa -k audit_time_rules state: present dest: /etc/audit/audit.rules @@ -50790,32 +44821,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83690-8 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_error_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - auditd_data_disk_error_action | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Configure auditd Disk Error Action on Disk Error - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: disk_error_action = {{ var_auditd_disk_error_action.split('|')[0] }} regexp: ^\s*disk_error_action\s*=\s*.*$ @@ -50844,32 +44851,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83684-1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_full_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - auditd_data_disk_full_action | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Configure auditd Disk Full Action when Disk Space Is Full - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: disk_full_action = {{ var_auditd_disk_full_action.split('|')[0] }} regexp: ^\s*disk_full_action\s*=\s*.*$ @@ -50898,37 +44881,10 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83698-1 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-653070 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1) - - PCI-DSS-Req-10.7.a - - auditd_data_retention_action_mail_acct - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_653070 | bool - - auditd_data_retention_action_mail_acct | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Configure auditd mail_acct Action on Low Disk Space - lineinfile: +- name: Configure auditd mail_acct Action on Low Disk Space - Configure auditd mail_acct Action on Low Disk Space + ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf + regexp: ^action_mail_acct line: action_mail_acct = {{ var_auditd_action_mail_acct }} state: present create: true @@ -50959,39 +44915,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83700-5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-653050 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - PCI-DSSv4-10.5 - - PCI-DSSv4-10.5.1 - - auditd_data_retention_admin_space_left_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_653050 | bool - - auditd_data_retention_admin_space_left_action | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Configure auditd admin_space_left Action on Low Disk Space - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: admin_space_left_action = {{ var_auditd_admin_space_left_action .split('|')[0] }} regexp: ^\s*admin_space_left_action\s*=\s*.*$ @@ -51027,31 +44952,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83683-3 - - CJIS-5.4.1.1 - - NIST-800-53-AU-11 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_max_log_file - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - auditd_data_retention_max_log_file | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Configure auditd Max Log File Size - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf regexp: ^\s*max_log_file\s*=\s*.*$ line: max_log_file = {{ var_auditd_max_log_file }} @@ -51079,34 +44981,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83701-3 - - CJIS-5.4.1.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_max_log_file_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - auditd_data_retention_max_log_file_action | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: max_log_file_action = {{ var_auditd_max_log_file_action }} regexp: ^\s*max_log_file_action\s*=\s*.*$ @@ -51137,39 +45013,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-83703-9 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-09-653040 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - PCI-DSSv4-10.5 - - PCI-DSSv4-10.5.1 - - auditd_data_retention_space_left_action - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - DISA_STIG_RHEL_09_653040 | bool - - auditd_data_retention_space_left_action | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Configure auditd space_left Action on Low Disk Space - lineinfile: + ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: space_left_action = {{ var_auditd_space_left_action.split('|')[0] }} regexp: ^\s*space_left_action\s*=\s*.*$ @@ -51205,27 +45050,8 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86457-9 - - configure_strategy - - file_groupownership_audit_binaries - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_groupownership_audit_binaries | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_groupownership_audit_binaries_newgroup variable if represented by gid - set_fact: + ansible.builtin.set_fact: file_groupownership_audit_binaries_newgroup: '0' when: - configure_strategy | bool @@ -51245,7 +45071,7 @@ - no_reboot_needed - name: Test for existence /sbin/auditctl - stat: + ansible.builtin.stat: path: /sbin/auditctl register: file_exists when: @@ -51266,8 +45092,9 @@ - no_reboot_needed - name: Ensure group owner on /sbin/auditctl - file: + ansible.builtin.file: path: /sbin/auditctl + follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool @@ -51288,7 +45115,7 @@ - no_reboot_needed - name: Test for existence /sbin/aureport - stat: + ansible.builtin.stat: path: /sbin/aureport register: file_exists when: @@ -51309,8 +45136,9 @@ - no_reboot_needed - name: Ensure group owner on /sbin/aureport - file: + ansible.builtin.file: path: /sbin/aureport + follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool @@ -51331,7 +45159,7 @@ - no_reboot_needed - name: Test for existence /sbin/ausearch - stat: + ansible.builtin.stat: path: /sbin/ausearch register: file_exists when: @@ -51352,8 +45180,9 @@ - no_reboot_needed - name: Ensure group owner on /sbin/ausearch - file: + ansible.builtin.file: path: /sbin/ausearch + follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool @@ -51374,7 +45203,7 @@ - no_reboot_needed - name: Test for existence /sbin/autrace - stat: + ansible.builtin.stat: path: /sbin/autrace register: file_exists when: @@ -51395,8 +45224,9 @@ - no_reboot_needed - name: Ensure group owner on /sbin/autrace - file: + ansible.builtin.file: path: /sbin/autrace + follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool @@ -51417,7 +45247,7 @@ - no_reboot_needed - name: Test for existence /sbin/auditd - stat: + ansible.builtin.stat: path: /sbin/auditd register: file_exists when: @@ -51438,8 +45268,9 @@ - no_reboot_needed - name: Ensure group owner on /sbin/auditd - file: + ansible.builtin.file: path: /sbin/auditd + follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool @@ -51460,7 +45291,7 @@ - no_reboot_needed - name: Test for existence /sbin/augenrules - stat: + ansible.builtin.stat: path: /sbin/augenrules register: file_exists when: @@ -51481,8 +45312,9 @@ - no_reboot_needed - name: Ensure group owner on /sbin/augenrules - file: + ansible.builtin.file: path: /sbin/augenrules + follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool @@ -51503,7 +45335,7 @@ - no_reboot_needed - name: Test for existence /sbin/audisp-syslog - stat: + ansible.builtin.stat: path: /sbin/audisp-syslog register: file_exists when: @@ -51524,8 +45356,9 @@ - no_reboot_needed - name: Ensure group owner on /sbin/audisp-syslog - file: + ansible.builtin.file: path: /sbin/audisp-syslog + follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool @@ -51545,27 +45378,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86454-6 - - configure_strategy - - file_ownership_audit_binaries - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_ownership_audit_binaries | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Set the file_ownership_audit_binaries_newown variable if represented by uid - set_fact: + ansible.builtin.set_fact: file_ownership_audit_binaries_newown: '0' when: - configure_strategy | bool @@ -51585,7 +45399,7 @@ - no_reboot_needed - name: Test for existence /sbin/auditctl - stat: + ansible.builtin.stat: path: /sbin/auditctl register: file_exists when: @@ -51606,8 +45420,9 @@ - no_reboot_needed - name: Ensure owner on /sbin/auditctl - file: + ansible.builtin.file: path: /sbin/auditctl + follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool @@ -51628,7 +45443,7 @@ - no_reboot_needed - name: Test for existence /sbin/aureport - stat: + ansible.builtin.stat: path: /sbin/aureport register: file_exists when: @@ -51649,8 +45464,9 @@ - no_reboot_needed - name: Ensure owner on /sbin/aureport - file: + ansible.builtin.file: path: /sbin/aureport + follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool @@ -51671,7 +45487,7 @@ - no_reboot_needed - name: Test for existence /sbin/ausearch - stat: + ansible.builtin.stat: path: /sbin/ausearch register: file_exists when: @@ -51692,8 +45508,9 @@ - no_reboot_needed - name: Ensure owner on /sbin/ausearch - file: + ansible.builtin.file: path: /sbin/ausearch + follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool @@ -51714,7 +45531,7 @@ - no_reboot_needed - name: Test for existence /sbin/autrace - stat: + ansible.builtin.stat: path: /sbin/autrace register: file_exists when: @@ -51735,8 +45552,9 @@ - no_reboot_needed - name: Ensure owner on /sbin/autrace - file: + ansible.builtin.file: path: /sbin/autrace + follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool @@ -51757,7 +45575,7 @@ - no_reboot_needed - name: Test for existence /sbin/auditd - stat: + ansible.builtin.stat: path: /sbin/auditd register: file_exists when: @@ -51778,8 +45596,9 @@ - no_reboot_needed - name: Ensure owner on /sbin/auditd - file: + ansible.builtin.file: path: /sbin/auditd + follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool @@ -51800,7 +45619,7 @@ - no_reboot_needed - name: Test for existence /sbin/augenrules - stat: + ansible.builtin.stat: path: /sbin/augenrules register: file_exists when: @@ -51821,8 +45640,9 @@ - no_reboot_needed - name: Ensure owner on /sbin/augenrules - file: + ansible.builtin.file: path: /sbin/augenrules + follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool @@ -51843,7 +45663,7 @@ - no_reboot_needed - name: Test for existence /sbin/audisp-syslog - stat: + ansible.builtin.stat: path: /sbin/audisp-syslog register: file_exists when: @@ -51864,8 +45684,9 @@ - no_reboot_needed - name: Ensure owner on /sbin/audisp-syslog - file: + ansible.builtin.file: path: /sbin/audisp-syslog + follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool @@ -51885,27 +45706,8 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86448-8 - - configure_strategy - - file_permissions_audit_binaries - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_audit_binaries | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - name: Test for existence /sbin/auditctl - stat: + ansible.builtin.stat: path: /sbin/auditctl register: file_exists when: @@ -51926,7 +45728,7 @@ - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/auditctl - file: + ansible.builtin.file: path: /sbin/auditctl mode: u-s,g-ws,o-wt when: @@ -51948,7 +45750,7 @@ - no_reboot_needed - name: Test for existence /sbin/aureport - stat: + ansible.builtin.stat: path: /sbin/aureport register: file_exists when: @@ -51969,7 +45771,7 @@ - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/aureport - file: + ansible.builtin.file: path: /sbin/aureport mode: u-s,g-ws,o-wt when: @@ -51991,7 +45793,7 @@ - no_reboot_needed - name: Test for existence /sbin/ausearch - stat: + ansible.builtin.stat: path: /sbin/ausearch register: file_exists when: @@ -52012,7 +45814,7 @@ - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/ausearch - file: + ansible.builtin.file: path: /sbin/ausearch mode: u-s,g-ws,o-wt when: @@ -52034,7 +45836,7 @@ - no_reboot_needed - name: Test for existence /sbin/autrace - stat: + ansible.builtin.stat: path: /sbin/autrace register: file_exists when: @@ -52055,7 +45857,7 @@ - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/autrace - file: + ansible.builtin.file: path: /sbin/autrace mode: u-s,g-ws,o-wt when: @@ -52077,7 +45879,7 @@ - no_reboot_needed - name: Test for existence /sbin/auditd - stat: + ansible.builtin.stat: path: /sbin/auditd register: file_exists when: @@ -52098,7 +45900,7 @@ - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/auditd - file: + ansible.builtin.file: path: /sbin/auditd mode: u-s,g-ws,o-wt when: @@ -52120,7 +45922,7 @@ - no_reboot_needed - name: Test for existence /sbin/augenrules - stat: + ansible.builtin.stat: path: /sbin/augenrules register: file_exists when: @@ -52141,7 +45943,7 @@ - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/augenrules - file: + ansible.builtin.file: path: /sbin/augenrules mode: u-s,g-ws,o-wt when: @@ -52163,7 +45965,7 @@ - no_reboot_needed - name: Test for existence /sbin/audisp-syslog - stat: + ansible.builtin.stat: path: /sbin/audisp-syslog register: file_exists when: @@ -52184,7 +45986,7 @@ - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/audisp-syslog - file: + ansible.builtin.file: path: /sbin/audisp-syslog mode: u-s,g-ws,o-wt when: