From 637a4ab95c1edbd98a109f736f8ebb839e9ae3c5 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Mon, 7 Aug 2023 18:02:03 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 599 ++++++++++++++++++++++++++++++++++--------------- 1 file changed, 413 insertions(+), 186 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index f7ca008..f05d9db 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -232,10 +232,10 @@ - name: Ensure AIDE is installed package: - name: - - aide - - crontabs + name: '{{ item }}' state: present + with_items: + - aide when: - aide_periodic_cron_checking | bool - low_complexity | bool @@ -499,6 +499,50 @@ - no_reboot_needed - package_gdm_removed +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-87295-2 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + when: + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Run dconf update + ansible.builtin.command: + cmd: dconf update + when: + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-87295-2 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + - name: Gather the package facts package_facts: manager: auto @@ -1779,7 +1823,7 @@ - medium_severity - no_reboot_needed -- name: Modify the System Login Banner - ensure correct banner +- name: Modify the System Login Banner - Ensure Correct Banner copy: dest: /etc/issue content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$", "\1") | regex_replace("\[\\s\\n\]\+"," @@ -6511,6 +6555,55 @@ - no_reboot_needed - restrict_strategy +- name: Collect users with not correct minimum time period between password changes + command: 'awk -F'':'' ''(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}'' /etc/shadow + + ' + register: user_names + tags: + - CCE-89069-9 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - accounts_password_set_min_life_existing + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - accounts_password_set_min_life_existing | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Change the minimum time period between password changes + command: 'chage -m {{ var_accounts_minimum_age_login_defs }} {{ item }} + + ' + with_items: '{{ user_names.stdout_lines }}' + when: + - accounts_password_set_min_life_existing | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - user_names.stdout_lines | length > 0 + tags: + - CCE-89069-9 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - accounts_password_set_min_life_existing + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Set Existing Passwords Warning Age - Collect Users With Incorrect Number of Days of Warning Before Password Expires ansible.builtin.command: cmd: awk -F':' '(($6 < {{ var_accounts_password_warn_age_login_defs }} || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow @@ -6846,6 +6939,62 @@ - no_reboot_needed - restrict_strategy +- name: Get all /etc/passwd file entries + getent: + database: passwd + split: ':' + tags: + - CCE-83624-7 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-6(5) + - NIST-800-53-IA-2 + - NIST-800-53-IA-4(b) + - PCI-DSS-Req-8.5 + - PCI-DSSv4-8.2.2 + - PCI-DSSv4-8.2.3 + - accounts_no_uid_except_zero + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + when: + - accounts_no_uid_except_zero | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Lock the password of the user accounts other than root with uid 0 + command: passwd -l {{ item.key }} + loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'') | list }}' + when: + - accounts_no_uid_except_zero | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - item.value.1 == '0' + tags: + - CCE-83624-7 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-6(5) + - NIST-800-53-IA-2 + - NIST-800-53-IA-4(b) + - PCI-DSS-Req-8.5 + - PCI-DSSv4-8.2.2 + - PCI-DSSv4-8.2.3 + - accounts_no_uid_except_zero + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd ansible.builtin.getent: database: passwd @@ -6992,49 +7141,6 @@ - no_shelllogin_for_systemaccounts - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-90085-2 - - PCI-DSSv4-8.6.1 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - use_pam_wheel_for_su - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - use_pam_wheel_for_su | bool - -- name: Restrict usage of su command only to members of wheel group - replace: - path: /etc/pam.d/su - regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ - replace: auth required pam_wheel.so use_uid - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - use_pam_wheel_for_su | bool - - '"pam" in ansible_facts.packages' - tags: - - CCE-90085-2 - - PCI-DSSv4-8.6.1 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - use_pam_wheel_for_su - - name: Correct any occurrence of TMOUT in /etc/profile replace: path: /etc/profile @@ -10666,21 +10772,15 @@ package_facts: manager: auto tags: - - CCE-86402-5 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - audit_rules_suid_privilege_function + - CCE-86368-8 + - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - audit_rules_suid_privilege_function | bool + - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -10690,7 +10790,7 @@ - name: Service facts ansible.builtin.service_facts: null when: - - audit_rules_suid_privilege_function | bool + - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -10699,14 +10799,8 @@ - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-86402-5 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - audit_rules_suid_privilege_function + - CCE-86368-8 + - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity @@ -10719,7 +10813,7 @@ changed_when: false failed_when: false when: - - audit_rules_suid_privilege_function | bool + - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -10728,14 +10822,8 @@ - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-86402-5 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - audit_rules_suid_privilege_function + - CCE-86368-8 + - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity @@ -10745,16 +10833,12 @@ - name: Set suid_audit_rules fact ansible.builtin.set_fact: suid_audit_rules: - - rule: -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - rule: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid - regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + - rule: -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation + regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ when: - - audit_rules_suid_privilege_function | bool + - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -10763,28 +10847,22 @@ - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-86402-5 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - audit_rules_suid_privilege_function + - CCE-86368-8 + - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions +- name: Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions ansible.builtin.lineinfile: - path: /etc/audit/rules.d/privileged.rules + path: /etc/audit/rules.d/user_emulation.rules line: '{{ item.rule }}' regexp: '{{ item.regex }}' create: true when: - - audit_rules_suid_privilege_function | bool + - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -10797,14 +10875,8 @@ register: augenrules_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - - CCE-86402-5 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - audit_rules_suid_privilege_function + - CCE-86368-8 + - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity @@ -10818,7 +10890,7 @@ regexp: '{{ item.regex }}' create: true when: - - audit_rules_suid_privilege_function | bool + - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -10831,14 +10903,8 @@ register: auditctl_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - - CCE-86402-5 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - audit_rules_suid_privilege_function + - CCE-86368-8 + - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity @@ -10848,7 +10914,7 @@ - name: Restart Auditd ansible.builtin.command: /usr/sbin/service auditd restart when: - - audit_rules_suid_privilege_function | bool + - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -10859,14 +10925,8 @@ - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) - ansible_facts.services["auditd.service"].state == "running" tags: - - CCE-86402-5 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(3) - - NIST-800-53-AU-7(a) - - NIST-800-53-AU-7(b) - - NIST-800-53-AU-8(b) - - NIST-800-53-CM-5(1) - - audit_rules_suid_privilege_function + - CCE-86368-8 + - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity @@ -12927,7 +12987,7 @@ - no_reboot_needed | bool - name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$ - command: find -H /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex "^audit(\.rules|d\.conf)$" + command: find -H /etc/audit/ -maxdepth 1 -type f ! -group 0 -regex "^audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false @@ -12976,7 +13036,7 @@ - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ - command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex "^.*\.rules$" + command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false @@ -28527,7 +28587,7 @@ - no_reboot_needed - service_systemd-journald_enabled -- name: Setting shell-quoted shell-style assignment of 'Compress' to 'yes' in '/etc/systemd/journald.conf' +- name: Setting unquoted shell-style assignment of 'Compress' to 'yes' in '/etc/systemd/journald.conf' block: - name: Check for duplicate values lineinfile: @@ -28550,7 +28610,7 @@ path: /etc/systemd/journald.conf create: true regexp: ^\s*Compress= - line: Compress="yes" + line: Compress=yes state: present insertbefore: ^# Compress validate: /usr/bin/bash -n %s @@ -28571,7 +28631,7 @@ - no_reboot_needed - restrict_strategy -- name: Setting shell-quoted shell-style assignment of 'ForwardToSyslog' to 'yes' in '/etc/systemd/journald.conf' +- name: Setting unquoted shell-style assignment of 'ForwardToSyslog' to 'yes' in '/etc/systemd/journald.conf' block: - name: Check for duplicate values lineinfile: @@ -28594,7 +28654,7 @@ path: /etc/systemd/journald.conf create: true regexp: ^\s*ForwardToSyslog= - line: ForwardToSyslog="yes" + line: ForwardToSyslog=yes state: present insertbefore: ^# ForwardToSyslog validate: /usr/bin/bash -n %s @@ -28615,7 +28675,7 @@ - no_reboot_needed - restrict_strategy -- name: Setting shell-quoted shell-style assignment of 'Storage' to 'persistent' in '/etc/systemd/journald.conf' +- name: Setting unquoted shell-style assignment of 'Storage' to 'persistent' in '/etc/systemd/journald.conf' block: - name: Check for duplicate values lineinfile: @@ -28638,7 +28698,7 @@ path: /etc/systemd/journald.conf create: true regexp: ^\s*Storage= - line: Storage="persistent" + line: Storage=persistent state: present insertbefore: ^# Storage validate: /usr/bin/bash -n %s @@ -28993,6 +29053,32 @@ - no_reboot_needed - rsyslog_nolisten +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90833-5 + - NIST-800-171-3.1.3 + - NIST-800-171-3.4.7 + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_firewalld_enabled + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_firewalld_enabled | bool + - name: Enable service firewalld block: - name: Gather the package facts @@ -29014,6 +29100,7 @@ - no_reboot_needed | bool - service_firewalld_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"firewalld" in ansible_facts.packages' tags: - CCE-90833-5 - NIST-800-171-3.1.3 @@ -31347,6 +31434,14 @@ package: name: nftables state: present + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_nftables_installed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86378-7 - enable_strategy @@ -31355,13 +31450,6 @@ - medium_severity - no_reboot_needed - package_nftables_installed - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_nftables_installed | bool - name: Block Disable service nftables block: @@ -31394,7 +31482,7 @@ - service_nftables_disabled - name: Unit Socket Exists - nftables.socket - command: systemctl list-unit-files nftables.socket + command: systemctl -q list-unit-files nftables.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] @@ -31430,7 +31518,7 @@ - no_reboot_needed | bool - service_nftables_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"nftables.socket" in socket_file_exists.stdout_lines[1]' + - socket_file_exists.stdout_lines is search("nftables.socket",multiline=True) tags: - CCE-88429-6 - disable_strategy @@ -34337,7 +34425,8 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83871-4 - configure_strategy @@ -34360,7 +34449,8 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -34391,7 +34481,8 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -34413,7 +34504,8 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83871-4 @@ -34438,7 +34530,8 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83871-4 @@ -34461,7 +34554,8 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83894-6 - NIST-800-53-AC-6 @@ -34490,7 +34584,8 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -34527,7 +34622,8 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -34555,7 +34651,8 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83894-6 @@ -34586,7 +34683,8 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/home" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83894-6 @@ -35092,7 +35190,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83882-1 - NIST-800-53-AC-6 @@ -35121,7 +35220,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -35158,7 +35258,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -35186,7 +35287,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83882-1 @@ -35217,7 +35319,8 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83882-1 @@ -35246,7 +35349,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83878-9 - NIST-800-53-AC-6 @@ -35275,7 +35379,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -35312,7 +35417,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -35340,7 +35446,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83878-9 @@ -35371,7 +35478,8 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83878-9 @@ -35400,7 +35508,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83893-8 - NIST-800-53-AC-6 @@ -35429,7 +35538,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -35466,7 +35576,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -35494,7 +35605,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83893-8 @@ -35525,7 +35637,8 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83893-8 @@ -35554,7 +35667,8 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83886-2 - NIST-800-53-AC-6 @@ -35583,7 +35697,8 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -35620,7 +35735,8 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -35648,7 +35764,8 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83886-2 @@ -35679,7 +35796,8 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83886-2 @@ -35708,7 +35826,8 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83887-0 - NIST-800-53-AC-6 @@ -35737,7 +35856,8 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -35774,7 +35894,8 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -35802,7 +35923,8 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83887-0 @@ -35833,7 +35955,8 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83887-0 @@ -35862,7 +35985,8 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) tags: - CCE-83870-6 - NIST-800-53-AC-6 @@ -35891,7 +36015,8 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -35928,7 +36053,8 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -35956,7 +36082,8 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83870-6 @@ -35987,7 +36114,8 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log" in ansible_mounts + | map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83870-6 @@ -36016,7 +36144,8 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) tags: - CCE-83868-0 - NIST-800-53-AC-6 @@ -36045,7 +36174,8 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -36082,7 +36212,8 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -36110,7 +36241,8 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83868-0 @@ -36141,7 +36273,8 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83868-0 @@ -38440,7 +38573,7 @@ - service_rpcbind_disabled - name: Unit Socket Exists - rpcbind.socket - command: systemctl list-unit-files rpcbind.socket + command: systemctl -q list-unit-files rpcbind.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] @@ -38477,7 +38610,7 @@ - no_reboot_needed | bool - service_rpcbind_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"rpcbind.socket" in socket_file_exists.stdout_lines[1]' + - socket_file_exists.stdout_lines is search("rpcbind.socket",multiline=True) tags: - CCE-84245-0 - PCI-DSSv4-2.2.4 @@ -38522,7 +38655,7 @@ - unknown_severity - name: Unit Socket Exists - nfs-server.socket - command: systemctl list-unit-files nfs-server.socket + command: systemctl -q list-unit-files nfs-server.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] @@ -38561,7 +38694,7 @@ - service_nfs_disabled | bool - unknown_severity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"nfs-server.socket" in socket_file_exists.stdout_lines[1]' + - socket_file_exists.stdout_lines is search("nfs-server.socket",multiline=True) tags: - CCE-90850-9 - NIST-800-53-CM-6(a) @@ -38977,6 +39110,100 @@ - medium_severity - no_reboot_needed +- name: Find /etc/ssh/ file(s) matching ^.*_key$ + command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regex "^.*_key$" + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_groupownership_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86127-8 + - configure_strategy + - file_groupownership_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner on /etc/ssh/ file(s) matching ^.*_key$ + file: + path: '{{ item }}' + group: ssh_keys + state: file + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_groupownership_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86127-8 + - configure_strategy + - file_groupownership_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find /etc/ssh/ file(s) matching ^.*\.pub$ + command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regex "^.*\.pub$" + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_groupownership_sshd_pub_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86136-9 + - configure_strategy + - file_groupownership_sshd_pub_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner on /etc/ssh/ file(s) matching ^.*\.pub$ + file: + path: '{{ item }}' + group: '0' + state: file + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_groupownership_sshd_pub_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86136-9 + - configure_strategy + - file_groupownership_sshd_pub_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config