From b9706a1c78af734f27bdb72b24c543275dba0794 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Fri, 12 Dec 2025 11:56:49 -0500 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 7608 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 5910 insertions(+), 1698 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 5104166..732ae27 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -16,7 +16,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_aide_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90843-4 - CJIS-5.10.1.3 @@ -45,7 +45,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83438-2 - CJIS-5.10.1.3 @@ -74,7 +74,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 @@ -92,18 +92,16 @@ name: aide state: present when: - - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83437-4 - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -121,18 +119,16 @@ name: cronie state: present when: - - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83437-4 - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -181,7 +177,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_sudo_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83523-1 - DISA-STIG-RHEL-09-432010 @@ -227,7 +223,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_systemd_journal_remote_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86760-6 - enable_strategy @@ -249,7 +245,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_firewalld_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84021-5 - DISA-STIG-RHEL-09-251010 @@ -276,7 +272,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86137-7 - PCI-DSSv4-1.4 @@ -301,7 +297,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86116-1 - PCI-DSSv4-1.4 @@ -324,7 +320,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_nftables_installed | bool - - ( "kernel" in ansible_facts.packages ) + - ( "kernel-core" in ansible_facts.packages ) tags: - CCE-86378-7 - PCI-DSSv4-1.2 @@ -382,7 +378,7 @@ - low_disruption | bool - no_reboot_needed | bool - package_libselinux_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84069-4 - PCI-DSSv4-1.2 @@ -405,7 +401,7 @@ - low_severity | bool - no_reboot_needed | bool - package_mcstrans_removed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84072-8 - disable_strategy @@ -426,7 +422,7 @@ - low_severity | bool - no_reboot_needed | bool - package_setroubleshoot_removed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84073-6 - disable_strategy @@ -448,7 +444,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_cron_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86170-8 - DISA-STIG-RHEL-09-232040 @@ -722,7 +718,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_chrony_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84215-3 - DISA-STIG-RHEL-09-252010 @@ -952,7 +948,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_audit_libs_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86772-1 - NIST-800-53-AC-7(a) @@ -982,7 +978,7 @@ - medium_severity | bool - no_reboot_needed | bool - package_audit_installed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83649-4 - DISA-STIG-RHEL-09-653010 @@ -1039,7 +1035,7 @@ - no_reboot_needed | bool - service_systemd_journald_enabled | bool - special_service_block | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - name: Verify firewalld Enabled - Enable service firewalld block: @@ -1079,7 +1075,7 @@ - no_reboot_needed | bool - service_firewalld_enabled | bool - special_service_block | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"firewalld" in ansible_facts.packages' - name: Verify nftables Service is Disabled - Disable service nftables @@ -1129,7 +1125,7 @@ - no_reboot_needed | bool - service_nftables_disabled | bool - special_service_block | bool - - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel" in ansible_facts.packages + - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - name: Disable Bluetooth Service - Disable service bluetooth @@ -1184,7 +1180,7 @@ - no_reboot_needed | bool - service_bluetooth_disabled | bool - special_service_block | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - name: Disable the Automounter - Disable service autofs block: @@ -1238,7 +1234,7 @@ - no_reboot_needed | bool - service_autofs_disabled | bool - special_service_block | bool - - ( "autofs" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "autofs" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - name: Disable Avahi Server Software - Disable service avahi-daemon block: @@ -1290,7 +1286,7 @@ - no_reboot_needed | bool - service_avahi_daemon_disabled | bool - special_service_block | bool - - ( "avahi" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "avahi" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - name: Enable cron Service - Enable service crond block: @@ -1320,7 +1316,7 @@ - no_reboot_needed | bool - service_crond_enabled | bool - special_service_block | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - name: Disable rpcbind Service - Disable service rpcbind block: @@ -1369,7 +1365,7 @@ - no_reboot_needed | bool - service_rpcbind_disabled | bool - special_service_block | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - name: Disable Network File System (nfs) - Disable service nfs-server block: @@ -1419,7 +1415,7 @@ - service_nfs_disabled | bool - special_service_block | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - name: Disable the CUPS Service - Disable service cups block: @@ -1469,7 +1465,7 @@ - service_cups_disabled | bool - special_service_block | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - name: Enable auditd Service - Enable service auditd block: @@ -1516,7 +1512,7 @@ - no_reboot_needed | bool - service_auditd_enabled | bool - special_service_block | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"audit" in ansible_facts.packages' - name: Gather the service facts @@ -1524,9 +1520,10 @@ tags: - always -- name: Build and Test AIDE Database - Build and Test AIDE Database - ansible.builtin.command: /usr/sbin/aide --init - changed_when: true +- name: Build and Test AIDE Database - Check Whether the Stock AIDE Database Exists + ansible.builtin.stat: + path: /var/lib/aide/aide.db.new.gz + register: aide_database_stat when: - DISA_STIG_RHEL_09_651010 | bool - aide_build_database | bool @@ -1535,7 +1532,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83438-2 - CJIS-5.10.1.3 @@ -1550,10 +1547,9 @@ - no_reboot_needed - restrict_strategy -- name: Build and Test AIDE Database - Check Whether the Stock AIDE Database Exists - ansible.builtin.stat: - path: /var/lib/aide/aide.db.new.gz - register: aide_database_stat +- name: Build and Test AIDE Database - Build and Test AIDE Database + ansible.builtin.command: /usr/sbin/aide --init + changed_when: true when: - DISA_STIG_RHEL_09_651010 | bool - aide_build_database | bool @@ -1562,7 +1558,9 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - not (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) + register: aide_database_init tags: - CCE-83438-2 - CJIS-5.10.1.3 @@ -1591,8 +1589,9 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' - - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) + - '"kernel-core" in ansible_facts.packages' + - aide_database_init is changed + - not ansible_check_mode tags: - CCE-83438-2 - CJIS-5.10.1.3 @@ -1625,7 +1624,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 @@ -1653,7 +1652,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"aide" in ansible_facts.packages' tags: - CCE-87757-1 @@ -1681,7 +1680,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"aide" in ansible_facts.packages' tags: - CCE-87757-1 @@ -1700,22 +1699,21 @@ name: run AIDE check minute: 5 hour: 4 - weekday: 0 user: root job: /usr/sbin/aide --check + register: crontab_check when: - - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - '''cronie'' in ansible_facts.packages' tags: - CCE-83437-4 - CJIS-5.10.1.3 - - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -1728,77 +1726,160 @@ - no_reboot_needed - restrict_strategy -- name: Configure System Cryptography Policy +- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHCBC ansible.builtin.lineinfile: - path: /etc/crypto-policies/config - regexp: ^(?!#)(\S+)$ - line: '{{ var_system_crypto_policy }}' + path: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod + owner: root + group: root + mode: '0644' + line: cipher@SSH = -*-CBC create: true + regexp: cipher@SSH tags: - - CCE-83450-7 - - DISA-STIG-RHEL-09-215105 - - DISA-STIG-RHEL-09-672030 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-12(2) - - NIST-800-53-SC-12(3) - - NIST-800-53-SC-13 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.7 - - configure_crypto_policy - - high_severity + - CCE-88900-6 + - configure_custom_crypto_policy_cis + - configure_strategy - low_complexity - low_disruption - - no_reboot_needed - - restrict_strategy + - medium_severity + - reboot_required when: - - DISA_STIG_RHEL_09_215105 | bool - - DISA_STIG_RHEL_09_672030 | bool - - configure_crypto_policy | bool - - high_severity | bool + - configure_custom_crypto_policy_cis | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - reboot_required | bool -- name: Verify that Crypto Policy is Set (runtime) - ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} +- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHWEAKCIPHERS + ansible.builtin.lineinfile: + path: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod + owner: root + group: root + mode: '0644' + line: cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 + create: true + regexp: cipher@SSH tags: - - CCE-83450-7 - - DISA-STIG-RHEL-09-215105 - - DISA-STIG-RHEL-09-672030 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-12(2) - - NIST-800-53-SC-12(3) - - NIST-800-53-SC-13 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.7 - - configure_crypto_policy - - high_severity + - CCE-88900-6 + - configure_custom_crypto_policy_cis + - configure_strategy - low_complexity - low_disruption - - no_reboot_needed - - restrict_strategy + - medium_severity + - reboot_required when: - - DISA_STIG_RHEL_09_215105 | bool - - DISA_STIG_RHEL_09_672030 | bool - - configure_crypto_policy | bool - - high_severity | bool + - configure_custom_crypto_policy_cis | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - reboot_required | bool + +- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHWEAKMACS + ansible.builtin.lineinfile: + path: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod + owner: root + group: root + mode: '0644' + line: mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128* + create: true + regexp: mac@SSH + tags: + - CCE-88900-6 + - configure_custom_crypto_policy_cis + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - reboot_required + when: + - configure_custom_crypto_policy_cis | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + +- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-WEAKMAC + ansible.builtin.lineinfile: + path: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod + owner: root + group: root + mode: '0644' + line: mac = -*-128* + create: true + regexp: mac + tags: + - CCE-88900-6 + - configure_custom_crypto_policy_cis + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - reboot_required + when: + - configure_custom_crypto_policy_cis | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + +- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Check current crypto policy + ansible.builtin.command: update-crypto-policies --show + register: current_crypto_policy + changed_when: false + failed_when: false + check_mode: false + tags: + - CCE-88900-6 + - configure_custom_crypto_policy_cis + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - reboot_required + when: + - configure_custom_crypto_policy_cis | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + +- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update crypto-policies + ansible.builtin.command: update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC + when: + - configure_custom_crypto_policy_cis | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - current_crypto_policy.stdout.strip() != "DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC" + tags: + - CCE-88900-6 + - configure_custom_crypto_policy_cis + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - reboot_required - name: Configure SSH to use System Crypto Policy ansible.builtin.lineinfile: dest: /etc/sysconfig/sshd state: absent regexp: (?i)^\s*CRYPTO_POLICY.*$ + when: + - configure_ssh_crypto_policy | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83445-7 - NIST-800-53-AC-17(2) @@ -1815,15 +1896,63 @@ - medium_disruption - medium_severity - reboot_required + +- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get database modification + time for distro + ansible.builtin.stat: + path: /etc/dconf/db/distro + register: distro_db when: - - configure_ssh_crypto_policy | bool - - disable_strategy | bool + - DISA_STIG_RHEL_09_271090 | bool + - dconf_db_up_to_date | bool + - high_severity | bool - low_complexity | bool - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87295-2 + - DISA-STIG-RHEL-09-271090 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy -- name: Run dconf update +- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get keyfiles for distro + ansible.builtin.find: + paths: /etc/dconf/db/distro.d/ + register: distro_keyfiles + when: + - DISA_STIG_RHEL_09_271090 | bool + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87295-2 + - DISA-STIG-RHEL-09-271090 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Run dconf update for distro ansible.builtin.command: cmd: dconf update when: @@ -1835,7 +1964,92 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - not distro_db.stat.exists or distro_keyfiles.files | length > 0 and distro_keyfiles.files | map(attribute='mtime') | max + > distro_db.stat.mtime + tags: + - CCE-87295-2 + - DISA-STIG-RHEL-09-271090 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get database modification + time for local + ansible.builtin.stat: + path: /etc/dconf/db/local + register: local_db + when: + - DISA_STIG_RHEL_09_271090 | bool + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87295-2 + - DISA-STIG-RHEL-09-271090 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get keyfiles for local + ansible.builtin.find: + paths: /etc/dconf/db/local.d/ + register: local_keyfiles + when: + - DISA_STIG_RHEL_09_271090 | bool + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87295-2 + - DISA-STIG-RHEL-09-271090 + - PCI-DSS-Req-6.2 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - dconf_db_up_to_date + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Run dconf update for local + ansible.builtin.command: + cmd: dconf update + when: + - DISA_STIG_RHEL_09_271090 | bool + - dconf_db_up_to_date | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - not local_db.stat.exists or local_keyfiles.files | length > 0 and local_keyfiles.files | map(attribute='mtime') | max + > local_db.stat.mtime tags: - CCE-87295-2 - DISA-STIG-RHEL-09-271090 @@ -1857,6 +2071,7 @@ value: 'true' no_extra_spaces: true create: true + register: result_ini when: - DISA_STIG_RHEL_09_271115 | bool - dconf_gnome_disable_user_list | bool @@ -1884,6 +2099,7 @@ regexp: ^/org/gnome/login-screen/disable-user-list$ line: /org/gnome/login-screen/disable-user-list create: true + register: result_lineinfile when: - DISA_STIG_RHEL_09_271115 | bool - dconf_gnome_disable_user_list | bool @@ -1916,6 +2132,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed or result_lineinfile is changed tags: - CCE-88285-2 - DISA-STIG-RHEL-09-271115 @@ -1961,6 +2178,7 @@ value: 'false' create: true no_extra_spaces: true + register: result_ini when: - dconf_gnome_disable_automount | bool - low_complexity | bool @@ -1990,6 +2208,7 @@ regexp: ^/org/gnome/desktop/media-handling/automount$ line: /org/gnome/desktop/media-handling/automount create: true + register: result_lineinfile when: - dconf_gnome_disable_automount | bool - low_complexity | bool @@ -2023,6 +2242,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed or result_lineinfile is changed tags: - CCE-87734-0 - NIST-800-171-3.1.7 @@ -2046,6 +2266,7 @@ value: 'false' create: true no_extra_spaces: true + register: result_ini when: - DISA_STIG_RHEL_09_271020 | bool - DISA_STIG_RHEL_09_271025 | bool @@ -2079,6 +2300,7 @@ regexp: ^/org/gnome/desktop/media-handling/automount-open$ line: /org/gnome/desktop/media-handling/automount-open create: true + register: result_lineinfile when: - DISA_STIG_RHEL_09_271020 | bool - DISA_STIG_RHEL_09_271025 | bool @@ -2118,6 +2340,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed or result_lineinfile is changed tags: - CCE-90128-0 - DISA-STIG-RHEL-09-271020 @@ -2143,6 +2366,7 @@ value: 'true' create: true no_extra_spaces: true + register: result_ini when: - DISA_STIG_RHEL_09_271030 | bool - DISA_STIG_RHEL_09_271035 | bool @@ -2174,6 +2398,7 @@ regexp: ^/org/gnome/desktop/media-handling/autorun-never$ line: /org/gnome/desktop/media-handling/autorun-never create: true + register: result_lineinfile when: - DISA_STIG_RHEL_09_271030 | bool - DISA_STIG_RHEL_09_271035 | bool @@ -2211,6 +2436,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed or result_lineinfile is changed tags: - CCE-90257-7 - DISA-STIG-RHEL-09-271030 @@ -2234,6 +2460,7 @@ value: uint32 {{ inactivity_timeout_value }} create: true no_extra_spaces: true + register: result_ini when: - DISA_STIG_RHEL_09_271065 | bool - dconf_gnome_screensaver_idle_delay | bool @@ -2271,6 +2498,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed tags: - CCE-86510-5 - CJIS-5.5.5 @@ -2296,6 +2524,7 @@ value: uint32 {{ var_screensaver_lock_delay }} create: true no_extra_spaces: true + register: result_ini when: - DISA_STIG_RHEL_09_271075 | bool - dconf_gnome_screensaver_lock_delay | bool @@ -2332,6 +2561,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed tags: - CCE-86954-5 - DISA-STIG-RHEL-09-271075 @@ -2354,6 +2584,7 @@ regexp: ^/org/gnome/desktop/screensaver/lock-delay$ line: /org/gnome/desktop/screensaver/lock-delay create: true + register: result_lineinfile when: - DISA_STIG_RHEL_09_271080 | bool - dconf_gnome_screensaver_user_locks | bool @@ -2386,6 +2617,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_lineinfile is changed tags: - CCE-87491-7 - DISA-STIG-RHEL-09-271080 @@ -2404,6 +2636,7 @@ regexp: ^/org/gnome/desktop/session/idle-delay$ line: /org/gnome/desktop/session/idle-delay create: true + register: result_lineinfile when: - DISA_STIG_RHEL_09_271070 | bool - dconf_gnome_session_idle_user_locks | bool @@ -2439,6 +2672,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_lineinfile is changed tags: - CCE-85971-0 - DISA-STIG-RHEL-09-271070 @@ -2467,7 +2701,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_add_use_pty | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-83538-9 @@ -2496,7 +2730,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_custom_logfile | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-83527-2 @@ -2522,7 +2756,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_custom_logfile | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' - edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed tags: @@ -2549,7 +2783,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -2579,7 +2813,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -2605,7 +2839,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -2635,7 +2869,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) @@ -2663,7 +2897,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -2693,7 +2927,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -2724,7 +2958,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -2752,7 +2986,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' - 'edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed @@ -2784,7 +3018,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 @@ -2929,6 +3163,15 @@ register: result_authselect_current changed_when: false failed_when: false + when: + - DISA_STIG_needed_rules | bool + - configure_strategy | bool + - enable_authselect | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-89732-2 - DISA-STIG-needed_rules @@ -2941,14 +3184,6 @@ - medium_disruption - medium_severity - no_reboot_needed - when: - - DISA_STIG_needed_rules | bool - - configure_strategy | bool - - enable_authselect | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - name: Enable authselect - Try to Select an authselect Profile ansible.builtin.command: @@ -2964,6 +3199,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - result_authselect_current.rc != 0 tags: - CCE-89732-2 @@ -2992,6 +3228,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - result_authselect_select is not skipped - result_authselect_select.rc != 0 tags: @@ -3014,6 +3251,15 @@ fail_msg: - authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be forced. + when: + - DISA_STIG_needed_rules | bool + - configure_strategy | bool + - enable_authselect | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-89732-2 - DISA-STIG-needed_rules @@ -3026,14 +3272,6 @@ - medium_disruption - medium_severity - no_reboot_needed - when: - - DISA_STIG_needed_rules | bool - - configure_strategy | bool - - enable_authselect | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - name: Enable authselect - Force authselect Profile Selection ansible.builtin.command: @@ -3046,6 +3284,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - result_authselect_current.rc != 0 - result_authselect_select.rc != 0 - result_altered_authselect.rc == 0 @@ -3073,7 +3312,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86142-7 - banner_etc_issue_cis @@ -3094,7 +3333,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86143-5 - banner_etc_issue_net_cis @@ -3115,7 +3354,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86141-9 - banner_etc_motd_cis @@ -3638,6 +3877,7 @@ value: 'true' create: true no_extra_spaces: true + register: result_ini when: - DISA_STIG_RHEL_09_271010 | bool - DISA_STIG_RHEL_09_271015 | bool @@ -3669,6 +3909,7 @@ regexp: ^/org/gnome/login-screen/banner-message-enable$ line: /org/gnome/login-screen/banner-message-enable create: true + register: result_lineinfile when: - DISA_STIG_RHEL_09_271010 | bool - DISA_STIG_RHEL_09_271015 | bool @@ -3706,6 +3947,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed or result_lineinfile is changed tags: - CCE-87599-7 - DISA-STIG-RHEL-09-271010 @@ -3795,6 +4037,7 @@ "\\n") }}''' create: true no_extra_spaces: true + register: result_ini when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool @@ -3824,6 +4067,7 @@ line: /org/gnome/login-screen/banner-message-text create: true state: present + register: result_lineinfile when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool @@ -3857,6 +4101,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' + - result_ini is changed or result_lineinfile is changed tags: - CCE-86529-5 - DISA-STIG-RHEL-09-171011 @@ -3875,6 +4120,15 @@ ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present + when: + - DISA_STIG_RHEL_09_611035 | bool + - account_password_pam_faillock_password_auth | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86932-1 - DISA-STIG-RHEL-09-611035 @@ -3885,14 +4139,6 @@ - low_disruption - medium_severity - no_reboot_needed - when: - - DISA_STIG_RHEL_09_611035 | bool - - account_password_pam_faillock_password_auth | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Remediation where authselect tool is present @@ -3949,6 +4195,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-86932-1 @@ -4017,6 +4264,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-86932-1 @@ -4034,6 +4282,15 @@ ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present + when: + - DISA_STIG_RHEL_09_611030 | bool + - account_password_pam_faillock_system_auth | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86917-2 - DISA-STIG-RHEL-09-611030 @@ -4044,14 +4301,6 @@ - low_disruption - medium_severity - no_reboot_needed - when: - - DISA_STIG_RHEL_09_611030 | bool - - account_password_pam_faillock_system_auth | bool - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Remediation where authselect tool is present @@ -4108,6 +4357,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-86917-2 @@ -4176,6 +4426,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-86917-2 @@ -4199,6 +4450,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-86354-8 @@ -4229,6 +4481,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: @@ -4296,6 +4549,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists - result_authselect_available_features.stdout is search("with-pwhistory") @@ -4496,6 +4750,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined @@ -4528,6 +4783,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-86354-8 @@ -4716,6 +4972,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pwhistory_conf_check.stat.exists tags: @@ -4954,6 +5211,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_pwhistory_conf_check.stat.exists tags: @@ -4983,6 +5241,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-89176-2 @@ -5013,6 +5272,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: @@ -5080,6 +5340,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists - result_authselect_available_features.stdout is search("with-pwhistory") @@ -5280,6 +5541,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined @@ -5312,6 +5574,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-89176-2 @@ -5498,6 +5761,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pwhistory_conf_check.stat.exists tags: @@ -5736,6 +6000,7 @@ - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_pwhistory_conf_check.stat.exists tags: @@ -5766,6 +6031,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83587-6 @@ -5834,6 +6100,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: @@ -5904,6 +6171,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: @@ -5935,6 +6203,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83587-6 @@ -5967,6 +6236,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: @@ -6306,6 +6576,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: @@ -6396,6 +6667,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_faillock_conf_check.stat.exists tags: @@ -6427,6 +6699,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83589-2 @@ -6493,6 +6766,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: @@ -6559,6 +6833,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: @@ -6586,6 +6861,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83589-2 @@ -6614,6 +6890,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: @@ -6962,6 +7239,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: @@ -7023,6 +7301,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_faillock_conf_check.stat.exists tags: @@ -7050,6 +7329,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83588-4 @@ -7118,6 +7398,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: @@ -7188,6 +7469,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: @@ -7219,6 +7501,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83588-4 @@ -7251,6 +7534,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: @@ -7592,6 +7876,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: @@ -7682,6 +7967,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_faillock_conf_check.stat.exists tags: @@ -7714,6 +8000,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 @@ -7743,6 +8030,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 @@ -7773,6 +8061,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 @@ -7801,6 +8090,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 @@ -7831,6 +8121,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 @@ -7861,6 +8152,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 @@ -7892,6 +8184,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-86356-3 @@ -7920,6 +8213,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 @@ -7948,6 +8242,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 @@ -7976,6 +8271,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 @@ -7990,6 +8286,77 @@ - no_reboot_needed - restrict_strategy +- name: Limit the maximum number of sequential characters in passwords - Find pwquality.conf.d files + ansible.builtin.find: + paths: /etc/security/pwquality.conf.d/ + patterns: '*.conf' + register: pwquality_conf_d_files + when: + - accounts_password_pam_maxsequence | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' + tags: + - CCE-86444-7 + - accounts_password_pam_maxsequence + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Limit the maximum number of sequential characters in passwords - Ensure maxsequence is not set in pwquality.conf.d + ansible.builtin.lineinfile: + path: '{{ item.path }}' + regexp: ^\s*\bmaxsequence\b.* + state: absent + with_items: '{{ pwquality_conf_d_files.files }}' + when: + - accounts_password_pam_maxsequence | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' + tags: + - CCE-86444-7 + - accounts_password_pam_maxsequence + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Limit the maximum number of sequential characters in passwords - Ensure PAM variable maxsequence is set accordingly + ansible.builtin.lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*maxsequence + line: maxsequence = {{ var_password_pam_maxsequence }} + when: + - accounts_password_pam_maxsequence | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' + tags: + - CCE-86444-7 + - accounts_password_pam_maxsequence + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ @@ -8003,6 +8370,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 @@ -8032,6 +8400,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 @@ -8061,6 +8430,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 @@ -8089,6 +8459,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 @@ -8122,6 +8493,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 @@ -8155,6 +8527,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 @@ -8190,6 +8563,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - set_password_hashing_algorithm_libuserconf | bool + - '"kernel-core" in ansible_facts.packages' - '"libuser" in ansible_facts.packages' tags: - CCE-88865-1 @@ -8224,6 +8598,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - set_password_hashing_algorithm_logindefs | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-90590-1 @@ -8255,6 +8630,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-85946-2 @@ -8496,6 +8872,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: @@ -8526,6 +8903,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-85946-2 @@ -8709,6 +9087,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: @@ -8738,6 +9117,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83581-9 @@ -8967,6 +9347,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: @@ -8997,6 +9378,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83581-9 @@ -9174,6 +9556,7 @@ - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool + - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: @@ -9207,6 +9590,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83627-0 @@ -9240,6 +9624,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83606-4 @@ -9273,6 +9658,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83610-6 @@ -9293,6 +9679,17 @@ ansible.builtin.command: cmd: awk -F':' '(/^[^:]+:[^!*]/ && ($5 > {{ var_accounts_maximum_age_login_defs }} || $5 == "")) {print $1}' /etc/shadow register: user_names + changed_when: false + check_mode: false + when: + - DISA_STIG_RHEL_09_411015 | bool + - accounts_password_set_max_life_existing | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86031-2 - DISA-STIG-RHEL-09-411015 @@ -9307,14 +9704,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411015 | bool - - accounts_password_set_max_life_existing | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Change the maximum time period between password changes ansible.builtin.user: @@ -9329,6 +9718,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - user_names.stdout_lines | length > 0 tags: - CCE-86031-2 @@ -9351,6 +9741,17 @@ ' register: user_names + changed_when: false + check_mode: false + when: + - DISA_STIG_RHEL_09_611080 | bool + - accounts_password_set_min_life_existing | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-89069-9 - DISA-STIG-RHEL-09-611080 @@ -9363,14 +9764,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_611080 | bool - - accounts_password_set_min_life_existing | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Change the minimum time period between password changes ansible.builtin.command: 'chage -m {{ var_accounts_minimum_age_login_defs }} {{ item }} @@ -9385,6 +9778,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - user_names.stdout_lines | length > 0 tags: - CCE-89069-9 @@ -9404,6 +9798,14 @@ cmd: awk -F':' '(($6 < {{ var_accounts_password_warn_age_login_defs }} || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow register: result_pass_warn_age_user_names changed_when: false + when: + - accounts_password_set_warn_age_existing | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86915-6 - NIST-800-53-CM-6(a) @@ -9417,13 +9819,6 @@ - low_disruption - medium_severity - no_reboot_needed - when: - - accounts_password_set_warn_age_existing | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - name: Set Existing Passwords Warning Age - Ensure the Number of Days of Warning Before Password Expires ansible.builtin.command: @@ -9436,6 +9831,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' - result_pass_warn_age_user_names is not skipped and result_pass_warn_age_user_names.stdout_lines | length > 0 tags: - CCE-86915-6 @@ -9465,6 +9861,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83609-8 @@ -9487,6 +9884,14 @@ cmd: awk -F':' '(($7 > {{ var_account_disable_post_pw_expiration }} || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow register: user_names changed_when: false + when: + - accounts_set_post_pw_existing | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86759-8 - NIST-800-171-3.5.6 @@ -9502,13 +9907,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - accounts_set_post_pw_existing | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Change the period of inactivity ansible.builtin.command: @@ -9521,6 +9919,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - user_names is not skipped and user_names.stdout_lines | length > 0 tags: - CCE-86759-8 @@ -9550,7 +9949,7 @@ - medium_disruption | bool - no_empty_passwords | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83611-4 - CJIS-5.5.2 @@ -9620,7 +10019,7 @@ - medium_disruption | bool - no_empty_passwords | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-83611-4 @@ -9656,7 +10055,7 @@ - medium_disruption | bool - no_empty_passwords | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-83611-4 @@ -9691,7 +10090,7 @@ - no_empty_passwords_etc_shadow | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-85972-8 - DISA-STIG-RHEL-09-611155 @@ -9719,7 +10118,7 @@ - no_empty_passwords_etc_shadow | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0 tags: - CCE-85972-8 @@ -9739,6 +10138,15 @@ ansible.builtin.getent: database: passwd split: ':' + when: + - DISA_STIG_RHEL_09_411100 | bool + - accounts_no_uid_except_zero | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83624-7 - DISA-STIG-RHEL-09-411100 @@ -9756,14 +10164,6 @@ - low_disruption - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411100 | bool - - accounts_no_uid_except_zero | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Lock the password of the user accounts other than root with uid 0 ansible.builtin.command: passwd -l {{ item.key }} @@ -9776,6 +10176,7 @@ - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - item.value.1 == '0' tags: - CCE-83624-7 @@ -9807,7 +10208,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86072-6 - PCI-DSSv4-2.2 @@ -9833,7 +10234,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86072-6 - PCI-DSSv4-2.2 @@ -9849,6 +10250,14 @@ ansible.builtin.getent: database: passwd split: ':' + when: + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_password_auth_for_systemaccounts | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86113-8 - NIST-800-53-AC-6 @@ -9861,17 +10270,18 @@ - no_password_auth_for_systemaccounts - no_reboot_needed - restrict_strategy - when: - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_password_auth_for_systemaccounts | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Ensure that System Accounts Are Locked - Create local_users Variable From getent_passwd Facts ansible.builtin.set_fact: local_users: '{{ ansible_facts.getent_passwd | dict2items }}' + when: + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_password_auth_for_systemaccounts | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86113-8 - NIST-800-53-AC-6 @@ -9884,13 +10294,6 @@ - no_password_auth_for_systemaccounts - no_reboot_needed - restrict_strategy - when: - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_password_auth_for_systemaccounts | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Ensure that System Accounts Are Locked - Lock System Accounts ansible.builtin.user: @@ -9904,6 +10307,7 @@ - no_password_auth_for_systemaccounts | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - item.value[1]|int < 1000 - item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody'] tags: @@ -9923,6 +10327,15 @@ ansible.builtin.getent: database: passwd split: ':' + when: + - DISA_STIG_RHEL_09_411035 | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - no_shelllogin_for_systemaccounts | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83623-9 - DISA-STIG-RHEL-09-411035 @@ -9938,18 +10351,19 @@ - no_reboot_needed - no_shelllogin_for_systemaccounts - restrict_strategy - when: - - DISA_STIG_RHEL_09_411035 | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - no_shelllogin_for_systemaccounts | bool - - restrict_strategy | bool - name: Ensure that System Accounts Do Not Run a Shell Upon Login - Create local_users Variable From getent_passwd Facts ansible.builtin.set_fact: local_users: '{{ ansible_facts.getent_passwd | dict2items }}' + when: + - DISA_STIG_RHEL_09_411035 | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - no_shelllogin_for_systemaccounts | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83623-9 - DISA-STIG-RHEL-09-411035 @@ -9965,14 +10379,6 @@ - no_reboot_needed - no_shelllogin_for_systemaccounts - restrict_strategy - when: - - DISA_STIG_RHEL_09_411035 | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - no_shelllogin_for_systemaccounts | bool - - restrict_strategy | bool - name: Ensure that System Accounts Do Not Run a Shell Upon Login - Disable Login Shell for System Accounts ansible.builtin.user: @@ -9987,6 +10393,7 @@ - no_reboot_needed | bool - no_shelllogin_for_systemaccounts | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - item.key not in ['root'] - item.value[1]|int < 1000 - item.value[5] not in ['/sbin/shutdown', '/sbin/halt', '/bin/sync'] @@ -10045,7 +10452,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83633-8 - DISA-STIG-RHEL-09-412035 @@ -10078,7 +10485,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83633-8 - DISA-STIG-RHEL-09-412035 @@ -10096,12 +10503,18 @@ - no_reboot_needed - restrict_strategy -- name: Ensure interactive local users are the group-owners of their respective initialization files - ansible.builtin.shell: - cmd: ' - - awk -F: ''{if ($4 >= 1000 && $4 != 65534) print $4":"$6}'' /etc/passwd | while IFS=: read -r gid home; do find -P "$home" - -maxdepth 1 -type f -name "\.[^.]*" -exec chgrp -f --no-dereference -- $gid "{}" \;; done' +- name: User Initialization Files Must Be Group-Owned By The Primary Group - Get interactive users from passwd file + ansible.builtin.getent: + database: passwd + register: passwd_entries + when: + - accounts_user_dot_group_ownership | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87037-8 - accounts_user_dot_group_ownership @@ -10110,6 +10523,12 @@ - medium_severity - no_reboot_needed - restrict_strategy + +- name: User Initialization Files Must Be Group-Owned By The Primary Group - Create list of interactive users with GID and + home directory + ansible.builtin.set_fact: + interactive_users: '{{ interactive_users | default([]) + [{''home'': item.value[4], ''gid'': item.value[2]}] }}' + loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}' when: - accounts_user_dot_group_ownership | bool - low_complexity | bool @@ -10117,11 +10536,87 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - item.value[2] | int >= 1000 | int + - item.value[2] | int != 65534 | int + - item.value[4] != "" + tags: + - CCE-87037-8 + - accounts_user_dot_group_ownership + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: User Initialization Files Must Be Group-Owned By The Primary Group - Find dot files in interactive user home directories + ansible.builtin.find: + paths: '{{ item.home }}' + patterns: .* + file_type: file + hidden: true + depth: 1 + follow: false + register: user_dotfiles + loop: '{{ interactive_users | default([]) }}' + failed_when: false + when: + - accounts_user_dot_group_ownership | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - item.home != "" + tags: + - CCE-87037-8 + - accounts_user_dot_group_ownership + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: User Initialization Files Must Be Group-Owned By The Primary Group - Set correct group ownership for user initialization + files + ansible.builtin.file: + path: '{{ item.1.path }}' + group: '{{ item.0.item.gid }}' + follow: false + loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}' + when: + - accounts_user_dot_group_ownership | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - item.0 is not skipped + - item.1.path is defined + tags: + - CCE-87037-8 + - accounts_user_dot_group_ownership + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: User Initialization Files Must Not Run World-Writable Programs - Initialize variables ansible.builtin.set_fact: home_user_dirs: [] world_writable_files: [] + when: + - DISA_STIG_RHEL_09_411115 | bool + - accounts_user_dot_no_world_writable_programs | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 @@ -10131,19 +10626,20 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411115 | bool - - accounts_user_dot_no_world_writable_programs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: User Initialization Files Must Not Run World-Writable Programs - Get user's home dir list ansible.builtin.getent: database: passwd register: passwd_database + when: + - DISA_STIG_RHEL_09_411115 | bool + - accounts_user_dot_no_world_writable_programs | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 @@ -10153,14 +10649,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411115 | bool - - accounts_user_dot_no_world_writable_programs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: User Initialization Files Must Not Run World-Writable Programs - Fill home_user_dirs ansible.builtin.set_fact: @@ -10173,6 +10661,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - item.data[4] is defined and item.data[2]|int >= 1000 and item.data[2]|int != 65534 with_items: '{{ passwd_database.ansible_facts.getent_passwd | dict2items(key_name=''user'', value_name=''data'')}}' tags: @@ -10190,6 +10679,17 @@ ' register: world_writable_files + changed_when: false + check_mode: false + when: + - DISA_STIG_RHEL_09_411115 | bool + - accounts_user_dot_no_world_writable_programs | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 @@ -10199,14 +10699,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411115 | bool - - accounts_user_dot_no_world_writable_programs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: User Initialization Files Must Not Run World-Writable Programs - Find referenced_files in init files ansible.builtin.find: @@ -10217,6 +10709,15 @@ recurse: true with_items: '{{ world_writable_files.stdout_lines }}' register: referenced_files + when: + - DISA_STIG_RHEL_09_411115 | bool + - accounts_user_dot_no_world_writable_programs | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 @@ -10226,14 +10727,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411115 | bool - - accounts_user_dot_no_world_writable_programs | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: User Initialization Files Must Not Run World-Writable Programs - Remove world writable permissions ansible.builtin.file: @@ -10247,6 +10740,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - item.matched > 0 with_items: '{{ referenced_files.results }}' tags: @@ -10259,10 +10753,18 @@ - no_reboot_needed - restrict_strategy -- name: Ensure interactive local users are the owners of their respective initialization files - ansible.builtin.shell: - cmd: 'awk -F: ''{if ($3 >= 1000 && $3 != 65534) print $3":"$6}'' /etc/passwd | while IFS=: read -r uid home; do find -P - "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chown -f --no-dereference -- $uid "{}" \;; done' +- name: User Initialization Files Must Be Owned By the Primary User - Get interactive users from passwd file + ansible.builtin.getent: + database: passwd + register: passwd_entries + when: + - accounts_user_dot_user_ownership | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87038-6 - accounts_user_dot_user_ownership @@ -10271,6 +10773,12 @@ - medium_severity - no_reboot_needed - restrict_strategy + +- name: User Initialization Files Must Be Owned By the Primary User - Create list of interactive users with UID and home directory + ansible.builtin.set_fact: + interactive_users: '{{ interactive_users | default([]) + [{''uid'': item.value[1], ''home'': item.value[4], ''username'': + item.key}] }}' + loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}' when: - accounts_user_dot_user_ownership | bool - low_complexity | bool @@ -10278,11 +10786,89 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - item.value[1] | int >= 1000 | int + - item.value[1] | int != 65534 | int + - item.value[4] != "" + tags: + - CCE-87038-6 + - accounts_user_dot_user_ownership + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: User Initialization Files Must Be Owned By the Primary User - Find dot files in interactive user home directories + ansible.builtin.find: + paths: '{{ item.home }}' + patterns: .* + file_type: file + hidden: true + depth: 1 + follow: false + register: user_dotfiles + loop: '{{ interactive_users | default([]) }}' + failed_when: false + when: + - accounts_user_dot_user_ownership | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - item.home != "" + tags: + - CCE-87038-6 + - accounts_user_dot_user_ownership + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: User Initialization Files Must Be Owned By the Primary User - Set correct ownership for user initialization files + ansible.builtin.file: + path: '{{ item.1.path }}' + owner: '{{ item.0.item.username }}' + follow: false + loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}' + when: + - accounts_user_dot_user_ownership | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - item.0 is not skipped + - item.0 is not failed + - item.0.item is defined + - item.0.item.username is defined + - item.1.path is defined + tags: + - CCE-87038-6 + - accounts_user_dot_user_ownership + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd split: ':' + when: + - DISA_STIG_RHEL_09_411065 | bool + - accounts_user_interactive_home_directory_exists | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83639-5 - DISA-STIG-RHEL-09-411065 @@ -10292,18 +10878,19 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411065 | bool - - accounts_user_interactive_home_directory_exists | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Create local_users variable from the getent output ansible.builtin.set_fact: local_users: '{{ ansible_facts.getent_passwd|dict2items }}' + when: + - DISA_STIG_RHEL_09_411065 | bool + - accounts_user_interactive_home_directory_exists | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83639-5 - DISA-STIG-RHEL-09-411065 @@ -10313,14 +10900,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_411065 | bool - - accounts_user_interactive_home_directory_exists | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Ensure interactive users have a home directory exists ansible.builtin.user: @@ -10335,6 +10914,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - item.value[1]|int >= 1000 - item.value[1]|int != 65534 tags: @@ -10576,6 +11156,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"bash" in ansible_facts.packages' tags: - CCE-83644-5 @@ -10602,6 +11183,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"bash" in ansible_facts.packages' - umask_replace.found > 0 tags: @@ -10629,6 +11211,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"bash" in ansible_facts.packages' - umask_replace.found == 0 tags: @@ -10659,6 +11242,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83647-8 @@ -10685,6 +11269,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' - result_umask_is_set.found > 0 tags: @@ -10712,6 +11297,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' - result_umask_is_set.found == 0 tags: @@ -10735,6 +11321,15 @@ - '*.sh' contains: ^[\s]*umask\s+\d+ register: result_profile_d_files + when: + - DISA_STIG_RHEL_09_412070 | bool + - accounts_umask_etc_profile | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90828-5 - DISA-STIG-RHEL-09-412070 @@ -10746,14 +11341,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_412070 | bool - - accounts_umask_etc_profile | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Ensure the Default Umask is Set Correctly in /etc/profile - Replace Existing umask Value in Files From /etc/profile.d ansible.builtin.replace: @@ -10770,6 +11357,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - result_profile_d_files.matched tags: - CCE-90828-5 @@ -10798,6 +11386,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - not result_profile_d_files.matched tags: - CCE-90828-5 @@ -10818,6 +11407,15 @@ regexp: ^(\s*)umask\s+\d+ replace: \1umask {{ var_accounts_user_umask }} register: result_umask_replaced_profile + when: + - DISA_STIG_RHEL_09_412070 | bool + - accounts_umask_etc_profile | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90828-5 - DISA-STIG-RHEL-09-412070 @@ -10829,14 +11427,6 @@ - medium_severity - no_reboot_needed - restrict_strategy - when: - - DISA_STIG_RHEL_09_412070 | bool - - accounts_umask_etc_profile | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - name: Set the file_groupowner_grub2_cfg_newgroup variable if represented by gid ansible.builtin.set_fact: @@ -10849,7 +11439,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83848-2 @@ -10880,7 +11470,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83848-2 @@ -10912,7 +11502,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: @@ -10942,7 +11532,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86010-6 @@ -10971,7 +11561,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86010-6 @@ -11001,7 +11591,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: @@ -11031,7 +11621,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83845-8 @@ -11062,7 +11652,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83845-8 @@ -11094,7 +11684,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: @@ -11124,7 +11714,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86016-3 @@ -11153,7 +11743,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86016-3 @@ -11183,7 +11773,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: @@ -11213,7 +11803,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83846-6 @@ -11240,7 +11830,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: @@ -11268,7 +11858,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86025-4 @@ -11295,7 +11885,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: @@ -11322,7 +11912,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 @@ -11354,7 +11944,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 @@ -11387,7 +11977,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 @@ -11414,7 +12004,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped tags: @@ -11446,7 +12036,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - include_config_output is defined register: rsyslog_config_files @@ -11487,7 +12077,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: @@ -11527,7 +12117,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: @@ -11556,7 +12146,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 @@ -11587,7 +12177,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 @@ -11614,7 +12204,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 @@ -11646,7 +12236,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 @@ -11679,7 +12269,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 @@ -11706,7 +12296,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped tags: @@ -11738,7 +12328,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - include_config_output is defined register: rsyslog_config_files @@ -11779,7 +12369,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: @@ -11819,7 +12409,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: @@ -11848,7 +12438,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 @@ -11879,7 +12469,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 @@ -11906,7 +12496,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 @@ -11938,7 +12528,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 @@ -11971,7 +12561,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 @@ -11998,7 +12588,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped tags: @@ -12030,7 +12620,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - include_config_output is defined register: rsyslog_config_files @@ -12071,7 +12661,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: @@ -12111,7 +12701,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: @@ -12140,7 +12730,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 @@ -12171,7 +12761,7 @@ - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 @@ -12208,7 +12798,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-85931-4 - journald_compress @@ -12229,7 +12819,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-85931-4 - journald_compress @@ -12254,7 +12844,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list }}' @@ -12283,7 +12873,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: - CCE-85931-4 @@ -12314,7 +12904,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86046-0 - journald_storage @@ -12336,7 +12926,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86046-0 - journald_storage @@ -12361,7 +12951,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list }}' @@ -12390,7 +12980,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: - CCE-86046-0 @@ -12406,13 +12996,14 @@ cmd: systemctl -q list-unit-files --type socket register: result_systemd_unit_files changed_when: false + check_mode: false when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87606-0 - disable_strategy @@ -12434,7 +13025,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - result_systemd_unit_files.stdout_lines is search("systemd-journal-remote.socket") tags: - CCE-87606-0 @@ -12474,7 +13065,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_facts.services['firewalld.service'].state == 'running' tags: - CCE-86137-7 @@ -12504,7 +13095,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86137-7 - PCI-DSSv4-1.4 @@ -12537,7 +13128,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_facts.services['firewalld.service'].state == 'running' tags: - CCE-86116-1 @@ -12567,7 +13158,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86116-1 - PCI-DSSv4-1.4 @@ -12579,16 +13170,12 @@ - medium_severity - no_reboot_needed -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv6.conf.all.accept_ra.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_254010 | bool - disable_strategy | bool @@ -12597,7 +13184,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 @@ -12612,12 +13199,75 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_ra -- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra from config files +- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find all files that contain net.ipv6.conf.all.accept_ra + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254010 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_accept_ra | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84120-5 + - DISA-STIG-RHEL-09-254010 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra + +- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_ra + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*{{ + sysctl_net_ipv6_conf_all_accept_ra_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254010 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_accept_ra | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84120-5 + - DISA-STIG-RHEL-09-254010 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra + +- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_ra + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.accept_ra replace: '#net.ipv6.conf.all.accept_ra' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254010 | bool - disable_strategy | bool @@ -12626,7 +13276,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 @@ -12641,7 +13293,7 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_ra -- name: Ensure sysctl net.ipv6.conf.all.accept_ra is set +- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_ra is set ansible.posix.sysctl: name: net.ipv6.conf.all.accept_ra value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}' @@ -12656,7 +13308,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 @@ -12671,16 +13323,12 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_ra -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv6.conf.all.accept_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool @@ -12689,7 +13337,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 @@ -12706,12 +13354,79 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects -- name: Comment out any occurrences of net.ipv6.conf.all.accept_redirects from config files +- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files that contain net.ipv6.conf.all.accept_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254015 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84125-4 + - DISA-STIG-RHEL-09-254015 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_redirects + +- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*{{ + sysctl_net_ipv6_conf_all_accept_redirects_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254015 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84125-4 + - DISA-STIG-RHEL-09-254015 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_redirects + +- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_redirects + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.accept_redirects replace: '#net.ipv6.conf.all.accept_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool @@ -12720,7 +13435,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 @@ -12737,7 +13454,7 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects -- name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set +- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_redirects is set ansible.posix.sysctl: name: net.ipv6.conf.all.accept_redirects value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}' @@ -12752,7 +13469,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 @@ -12769,16 +13486,12 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv6.conf.all.accept_source_route.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool @@ -12787,7 +13500,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 @@ -12802,12 +13515,76 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route -- name: Comment out any occurrences of net.ipv6.conf.all.accept_source_route from config files +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Find all files that contain + net.ipv6.conf.all.accept_source_route + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254020 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84131-2 + - DISA-STIG-RHEL-09-254020 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_source_route + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*{{ + sysctl_net_ipv6_conf_all_accept_source_route_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254020 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84131-2 + - DISA-STIG-RHEL-09-254020 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Comment out any occurrences + of net.ipv6.conf.all.accept_source_route from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.accept_source_route replace: '#net.ipv6.conf.all.accept_source_route' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool @@ -12816,7 +13593,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 @@ -12831,7 +13610,8 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route -- name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_source_route + is set ansible.posix.sysctl: name: net.ipv6.conf.all.accept_source_route value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}' @@ -12846,7 +13626,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 @@ -12861,16 +13641,12 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for IPv6 Forwarding - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv6.conf.all.forwarding.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_254025 | bool - disable_strategy | bool @@ -12879,7 +13655,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 @@ -12895,12 +13671,76 @@ - reboot_required - sysctl_net_ipv6_conf_all_forwarding -- name: Comment out any occurrences of net.ipv6.conf.all.forwarding from config files +- name: Disable Kernel Parameter for IPv6 Forwarding - Find all files that contain net.ipv6.conf.all.forwarding + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.forwarding\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254025 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_forwarding | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84114-8 + - DISA-STIG-RHEL-09-254025 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_forwarding + +- name: Disable Kernel Parameter for IPv6 Forwarding - Find all files that set net.ipv6.conf.all.forwarding to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.forwarding\s*=\s*{{ + sysctl_net_ipv6_conf_all_forwarding_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254025 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_all_forwarding | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84114-8 + - DISA-STIG-RHEL-09-254025 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_forwarding + +- name: Disable Kernel Parameter for IPv6 Forwarding - Comment out any occurrences of net.ipv6.conf.all.forwarding from config + files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.forwarding replace: '#net.ipv6.conf.all.forwarding' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254025 | bool - disable_strategy | bool @@ -12909,7 +13749,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 @@ -12925,7 +13767,7 @@ - reboot_required - sysctl_net_ipv6_conf_all_forwarding -- name: Ensure sysctl net.ipv6.conf.all.forwarding is set +- name: Disable Kernel Parameter for IPv6 Forwarding - Ensure sysctl net.ipv6.conf.all.forwarding is set ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding value: '{{ sysctl_net_ipv6_conf_all_forwarding_value }}' @@ -12940,7 +13782,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 @@ -12956,16 +13798,12 @@ - reboot_required - sysctl_net_ipv6_conf_all_forwarding -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv6.conf.default.accept_ra.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_254030 | bool - disable_strategy | bool @@ -12974,7 +13812,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 @@ -12989,12 +13827,75 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_ra -- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra from config files +- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Find all files that contain net.ipv6.conf.default.accept_ra + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254030 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_default_accept_ra | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84124-7 + - DISA-STIG-RHEL-09-254030 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_ra + +- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Find all files that set net.ipv6.conf.default.accept_ra + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*{{ + sysctl_net_ipv6_conf_default_accept_ra_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254030 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_default_accept_ra | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84124-7 + - DISA-STIG-RHEL-09-254030 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_ra + +- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.default.accept_ra replace: '#net.ipv6.conf.default.accept_ra' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254030 | bool - disable_strategy | bool @@ -13003,7 +13904,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 @@ -13018,7 +13921,8 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_ra -- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set +- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Ensure sysctl net.ipv6.conf.default.accept_ra + is set ansible.posix.sysctl: name: net.ipv6.conf.default.accept_ra value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}' @@ -13033,7 +13937,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 @@ -13048,16 +13952,12 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_ra -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv6.conf.default.accept_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool @@ -13066,7 +13966,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 @@ -13081,12 +13981,76 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects -- name: Comment out any occurrences of net.ipv6.conf.default.accept_redirects from config files +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Find all files that contain + net.ipv6.conf.default.accept_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254035 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_default_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84113-0 + - DISA-STIG-RHEL-09-254035 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_redirects + +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Find all files that set net.ipv6.conf.default.accept_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*{{ + sysctl_net_ipv6_conf_default_accept_redirects_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254035 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_default_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84113-0 + - DISA-STIG-RHEL-09-254035 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_redirects + +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Comment out any occurrences + of net.ipv6.conf.default.accept_redirects from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.default.accept_redirects replace: '#net.ipv6.conf.default.accept_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool @@ -13095,7 +14059,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 @@ -13110,7 +14076,8 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects -- name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Ensure sysctl net.ipv6.conf.default.accept_redirects + is set ansible.posix.sysctl: name: net.ipv6.conf.default.accept_redirects value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' @@ -13125,7 +14092,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 @@ -13140,16 +14107,12 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv6.conf.default.accept_source_route.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool @@ -13158,7 +14121,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 @@ -13178,12 +14141,86 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route -- name: Comment out any occurrences of net.ipv6.conf.default.accept_source_route from config files +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Find all files that contain + net.ipv6.conf.default.accept_source_route + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254040 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_default_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84130-4 + - DISA-STIG-RHEL-09-254040 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.2 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Find all files that set + net.ipv6.conf.default.accept_source_route to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*{{ + sysctl_net_ipv6_conf_default_accept_source_route_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_254040 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv6_conf_default_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84130-4 + - DISA-STIG-RHEL-09-254040 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(b) + - NIST-800-53-CM-6.1(iv) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.2 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Comment out any occurrences + of net.ipv6.conf.default.accept_source_route from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.default.accept_source_route replace: '#net.ipv6.conf.default.accept_source_route' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool @@ -13192,7 +14229,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 @@ -13212,7 +14251,8 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route -- name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Ensure sysctl net.ipv6.conf.default.accept_source_route + is set ansible.posix.sysctl: name: net.ipv6.conf.default.accept_source_route value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}' @@ -13227,7 +14267,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 @@ -13247,16 +14287,12 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.accept_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool @@ -13265,7 +14301,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84011-6 - CJIS-5.10.1.1 @@ -13282,12 +14318,79 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects -- name: Comment out any occurrences of net.ipv4.conf.all.accept_redirects from config files +- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.accept_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253015 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84011-6 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253015 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_redirects + +- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files that set net.ipv4.conf.all.accept_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*{{ + sysctl_net_ipv4_conf_all_accept_redirects_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253015 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84011-6 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253015 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_redirects + +- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.accept_redirects + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.accept_redirects replace: '#net.ipv4.conf.all.accept_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool @@ -13296,7 +14399,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84011-6 - CJIS-5.10.1.1 @@ -13313,7 +14418,7 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects -- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set +- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.accept_redirects is set ansible.posix.sysctl: name: net.ipv4.conf.all.accept_redirects value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' @@ -13328,7 +14433,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84011-6 - CJIS-5.10.1.1 @@ -13345,16 +14450,12 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.accept_source_route.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool @@ -13363,7 +14464,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 @@ -13380,12 +14481,80 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route -- name: Comment out any occurrences of net.ipv4.conf.all.accept_source_route from config files +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Find all files that contain + net.ipv4.conf.all.accept_source_route + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253020 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84001-7 + - DISA-STIG-RHEL-09-253020 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.accept_source_route + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*{{ + sysctl_net_ipv4_conf_all_accept_source_route_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253020 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84001-7 + - DISA-STIG-RHEL-09-253020 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Comment out any occurrences + of net.ipv4.conf.all.accept_source_route from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.accept_source_route replace: '#net.ipv4.conf.all.accept_source_route' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool @@ -13394,7 +14563,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 @@ -13411,7 +14582,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route -- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.accept_source_route + is set ansible.posix.sysctl: name: net.ipv4.conf.all.accept_source_route value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' @@ -13426,7 +14598,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 @@ -13443,16 +14615,12 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.log_martians.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253025 | bool - disable_strategy | bool @@ -13461,7 +14629,7 @@ - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 @@ -13476,12 +14644,75 @@ - sysctl_net_ipv4_conf_all_log_martians - unknown_severity -- name: Comment out any occurrences of net.ipv4.conf.all.log_martians from config files +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.log_martians + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253025 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_log_martians | bool + - unknown_severity | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84000-9 + - DISA-STIG-RHEL-09-253025 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(3)(a) + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_conf_all_log_martians + - unknown_severity + +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.log_martians + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*{{ + sysctl_net_ipv4_conf_all_log_martians_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253025 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_log_martians | bool + - unknown_severity | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84000-9 + - DISA-STIG-RHEL-09-253025 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(3)(a) + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_conf_all_log_martians + - unknown_severity + +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.log_martians + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.log_martians replace: '#net.ipv4.conf.all.log_martians' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253025 | bool - disable_strategy | bool @@ -13490,7 +14721,9 @@ - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 @@ -13505,7 +14738,8 @@ - sysctl_net_ipv4_conf_all_log_martians - unknown_severity -- name: Ensure sysctl net.ipv4.conf.all.log_martians is set +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.log_martians + is set ansible.posix.sysctl: name: net.ipv4.conf.all.log_martians value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}' @@ -13520,7 +14754,7 @@ - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 @@ -13535,16 +14769,12 @@ - sysctl_net_ipv4_conf_all_log_martians - unknown_severity -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.rp_filter.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool @@ -13553,7 +14783,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 @@ -13572,12 +14802,83 @@ - reboot_required - sysctl_net_ipv4_conf_all_rp_filter -- name: Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.rp_filter + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253035 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_rp_filter | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84008-2 + - DISA-STIG-RHEL-09-253035 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_rp_filter + +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.rp_filter + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*{{ + sysctl_net_ipv4_conf_all_rp_filter_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253035 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_rp_filter | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84008-2 + - DISA-STIG-RHEL-09-253035 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_rp_filter + +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.rp_filter + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.rp_filter replace: '#net.ipv4.conf.all.rp_filter' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool @@ -13586,7 +14887,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 @@ -13605,7 +14908,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_rp_filter -- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.rp_filter + is set ansible.posix.sysctl: name: net.ipv4.conf.all.rp_filter value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}' @@ -13620,7 +14924,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 @@ -13639,16 +14943,12 @@ - reboot_required - sysctl_net_ipv4_conf_all_rp_filter -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.secure_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - disable_strategy | bool - low_complexity | bool @@ -13656,7 +14956,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84016-5 - NIST-800-171-3.1.20 @@ -13674,12 +14974,80 @@ - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects -- name: Comment out any occurrences of net.ipv4.conf.all.secure_redirects from config files +- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Find all files that contain + net.ipv4.conf.all.secure_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_secure_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84016-5 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_secure_redirects + +- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.secure_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*{{ + sysctl_net_ipv4_conf_all_secure_redirects_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_secure_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84016-5 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_secure_redirects + +- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Comment out any occurrences + of net.ipv4.conf.all.secure_redirects from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.secure_redirects replace: '#net.ipv4.conf.all.secure_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - disable_strategy | bool - low_complexity | bool @@ -13687,7 +15055,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84016-5 - NIST-800-171-3.1.20 @@ -13705,7 +15075,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects -- name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set +- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.secure_redirects + is set ansible.posix.sysctl: name: net.ipv4.conf.all.secure_redirects value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}' @@ -13719,7 +15090,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84016-5 - NIST-800-171-3.1.20 @@ -13737,16 +15108,12 @@ - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.default.accept_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool @@ -13755,7 +15122,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84003-3 - CJIS-5.10.1.1 @@ -13775,12 +15142,86 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects -- name: Comment out any occurrences of net.ipv4.conf.default.accept_redirects from config files +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Find all files that contain + net.ipv4.conf.default.accept_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253040 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84003-3 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253040 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_accept_redirects + +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Find all files that set net.ipv4.conf.default.accept_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*{{ + sysctl_net_ipv4_conf_default_accept_redirects_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253040 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_accept_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84003-3 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253040 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_accept_redirects + +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Comment out any occurrences + of net.ipv4.conf.default.accept_redirects from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.accept_redirects replace: '#net.ipv4.conf.default.accept_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool @@ -13789,7 +15230,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84003-3 - CJIS-5.10.1.1 @@ -13809,7 +15252,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects -- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set +- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Ensure sysctl net.ipv4.conf.default.accept_redirects + is set ansible.posix.sysctl: name: net.ipv4.conf.default.accept_redirects value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' @@ -13824,7 +15268,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84003-3 - CJIS-5.10.1.1 @@ -13844,16 +15288,12 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.default.accept_source_route.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool @@ -13862,7 +15302,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84007-4 - CJIS-5.10.1.1 @@ -13879,12 +15319,80 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route -- name: Comment out any occurrences of net.ipv4.conf.default.accept_source_route from config files +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Find all files that contain + net.ipv4.conf.default.accept_source_route + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253045 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84007-4 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253045 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Find all files that set + net.ipv4.conf.default.accept_source_route to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*{{ + sysctl_net_ipv4_conf_default_accept_source_route_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253045 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_accept_source_route | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84007-4 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253045 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_accept_source_route + +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Comment out any occurrences + of net.ipv4.conf.default.accept_source_route from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.accept_source_route replace: '#net.ipv4.conf.default.accept_source_route' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool @@ -13893,7 +15401,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84007-4 - CJIS-5.10.1.1 @@ -13910,7 +15420,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route -- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set +- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.accept_source_route + is set ansible.posix.sysctl: name: net.ipv4.conf.default.accept_source_route value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' @@ -13925,7 +15436,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84007-4 - CJIS-5.10.1.1 @@ -13942,16 +15453,12 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.default.log_martians.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253030 | bool - disable_strategy | bool @@ -13960,7 +15467,7 @@ - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 @@ -13975,12 +15482,75 @@ - sysctl_net_ipv4_conf_default_log_martians - unknown_severity -- name: Comment out any occurrences of net.ipv4.conf.default.log_martians from config files +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Find all files that contain net.ipv4.conf.default.log_martians + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253030 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_log_martians | bool + - unknown_severity | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84014-0 + - DISA-STIG-RHEL-09-253030 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(3)(a) + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_conf_default_log_martians + - unknown_severity + +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.log_martians + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*{{ + sysctl_net_ipv4_conf_default_log_martians_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253030 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_log_martians | bool + - unknown_severity | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84014-0 + - DISA-STIG-RHEL-09-253030 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(3)(a) + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_conf_default_log_martians + - unknown_severity + +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Comment out any occurrences of + net.ipv4.conf.default.log_martians from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.log_martians replace: '#net.ipv4.conf.default.log_martians' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253030 | bool - disable_strategy | bool @@ -13989,7 +15559,9 @@ - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 @@ -14004,7 +15576,8 @@ - sysctl_net_ipv4_conf_default_log_martians - unknown_severity -- name: Ensure sysctl net.ipv4.conf.default.log_martians is set +- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.log_martians + is set ansible.posix.sysctl: name: net.ipv4.conf.default.log_martians value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}' @@ -14019,7 +15592,7 @@ - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 @@ -14034,16 +15607,12 @@ - sysctl_net_ipv4_conf_default_log_martians - unknown_severity -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.default.rp_filter.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool @@ -14052,7 +15621,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 @@ -14068,12 +15637,78 @@ - reboot_required - sysctl_net_ipv4_conf_default_rp_filter -- name: Comment out any occurrences of net.ipv4.conf.default.rp_filter from config files +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Find all files that contain + net.ipv4.conf.default.rp_filter + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253050 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_rp_filter | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84009-0 + - DISA-STIG-RHEL-09-253050 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_rp_filter + +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Find all files that set + net.ipv4.conf.default.rp_filter to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*{{ + sysctl_net_ipv4_conf_default_rp_filter_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253050 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_rp_filter | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84009-0 + - DISA-STIG-RHEL-09-253050 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_rp_filter + +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Comment out any occurrences + of net.ipv4.conf.default.rp_filter from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.rp_filter replace: '#net.ipv4.conf.default.rp_filter' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool @@ -14082,7 +15717,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 @@ -14098,7 +15735,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_rp_filter -- name: Ensure sysctl net.ipv4.conf.default.rp_filter is set +- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.rp_filter + is set ansible.posix.sysctl: name: net.ipv4.conf.default.rp_filter value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}' @@ -14113,7 +15751,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 @@ -14129,16 +15767,12 @@ - reboot_required - sysctl_net_ipv4_conf_default_rp_filter -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.default.secure_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - disable_strategy | bool - low_complexity | bool @@ -14146,7 +15780,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84019-9 - NIST-800-171-3.1.20 @@ -14161,12 +15795,73 @@ - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects -- name: Comment out any occurrences of net.ipv4.conf.default.secure_redirects from config files +- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find all files that contain net.ipv4.conf.default.secure_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_secure_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84019-9 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_secure_redirects + +- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find all files that set net.ipv4.conf.default.secure_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*{{ + sysctl_net_ipv4_conf_default_secure_redirects_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_secure_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84019-9 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_secure_redirects + +- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Comment out any occurrences of net.ipv4.conf.default.secure_redirects + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.secure_redirects replace: '#net.ipv4.conf.default.secure_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - disable_strategy | bool - low_complexity | bool @@ -14174,7 +15869,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84019-9 - NIST-800-171-3.1.20 @@ -14189,7 +15886,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects -- name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set +- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Ensure sysctl net.ipv4.conf.default.secure_redirects + is set ansible.posix.sysctl: name: net.ipv4.conf.default.secure_redirects value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}' @@ -14203,7 +15901,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84019-9 - NIST-800-171-3.1.20 @@ -14218,16 +15916,12 @@ - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253055 | bool - disable_strategy | bool @@ -14236,7 +15930,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84004-1 - CJIS-5.10.1.1 @@ -14255,12 +15949,83 @@ - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- name: Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from config files +- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Find all files that contain net.ipv4.icmp_echo_ignore_broadcasts + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253055 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84004-1 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253055 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.2 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + +- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Find all files that set net.ipv4.icmp_echo_ignore_broadcasts + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*{{ + sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253055 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84004-1 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253055 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.2 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + +- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Comment out any occurrences of + net.ipv4.icmp_echo_ignore_broadcasts from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts replace: '#net.ipv4.icmp_echo_ignore_broadcasts' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253055 | bool - disable_strategy | bool @@ -14269,7 +16034,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84004-1 - CJIS-5.10.1.1 @@ -14288,7 +16055,8 @@ - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set +- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts + is set ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' @@ -14303,7 +16071,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84004-1 - CJIS-5.10.1.1 @@ -14322,16 +16090,12 @@ - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool @@ -14340,7 +16104,7 @@ - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 @@ -14358,12 +16122,81 @@ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity -- name: Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from config files +- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Find all files that contain net.ipv4.icmp_ignore_bogus_error_responses + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253060 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - reboot_required | bool + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool + - unknown_severity | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84015-7 + - DISA-STIG-RHEL-09-253060 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.2 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - unknown_severity + +- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Find all files that set net.ipv4.icmp_ignore_bogus_error_responses + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*{{ + sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253060 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - reboot_required | bool + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool + - unknown_severity | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84015-7 + - DISA-STIG-RHEL-09-253060 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.2 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - unknown_severity + +- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses replace: '#net.ipv4.icmp_ignore_bogus_error_responses' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool @@ -14372,7 +16205,9 @@ - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 @@ -14390,7 +16225,8 @@ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity -- name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set +- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses + is set ansible.posix.sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}' @@ -14405,7 +16241,7 @@ - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 @@ -14423,16 +16259,12 @@ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.tcp_syncookies.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool @@ -14441,7 +16273,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84006-6 - CJIS-5.10.1.1 @@ -14463,12 +16295,89 @@ - reboot_required - sysctl_net_ipv4_tcp_syncookies -- name: Comment out any occurrences of net.ipv4.tcp_syncookies from config files +- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find all files that contain net.ipv4.tcp_syncookies + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.tcp_syncookies\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253010 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_tcp_syncookies | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84006-6 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253010 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(1) + - NIST-800-53-SC-5(2) + - NIST-800-53-SC-5(3)(a) + - PCI-DSS-Req-1.4.1 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_tcp_syncookies + +- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find all files that set net.ipv4.tcp_syncookies + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.tcp_syncookies\s*=\s*{{ + sysctl_net_ipv4_tcp_syncookies_value }}$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253010 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_tcp_syncookies | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84006-6 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253010 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(1) + - NIST-800-53-SC-5(2) + - NIST-800-53-SC-5(3)(a) + - PCI-DSS-Req-1.4.1 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_tcp_syncookies + +- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Comment out any occurrences of net.ipv4.tcp_syncookies + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.tcp_syncookies replace: '#net.ipv4.tcp_syncookies' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool @@ -14477,7 +16386,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-84006-6 - CJIS-5.10.1.1 @@ -14499,7 +16410,7 @@ - reboot_required - sysctl_net_ipv4_tcp_syncookies -- name: Ensure sysctl net.ipv4.tcp_syncookies is set +- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Ensure sysctl net.ipv4.tcp_syncookies is set ansible.posix.sysctl: name: net.ipv4.tcp_syncookies value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}' @@ -14514,7 +16425,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84006-6 - CJIS-5.10.1.1 @@ -14536,16 +16447,12 @@ - reboot_required - sysctl_net_ipv4_tcp_syncookies -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.all.send_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool @@ -14554,7 +16461,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83997-7 - CJIS-5.10.1.1 @@ -14574,12 +16481,84 @@ - reboot_required - sysctl_net_ipv4_conf_all_send_redirects -- name: Comment out any occurrences of net.ipv4.conf.all.send_redirects from config files +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.send_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253065 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_send_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83997-7 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253065 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.5 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_send_redirects + +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.send_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*0$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253065 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_send_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83997-7 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253065 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.5 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_send_redirects + +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.send_redirects + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.send_redirects replace: '#net.ipv4.conf.all.send_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool @@ -14588,7 +16567,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-83997-7 - CJIS-5.10.1.1 @@ -14608,7 +16589,8 @@ - reboot_required - sysctl_net_ipv4_conf_all_send_redirects -- name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.send_redirects + is set to 0 ansible.posix.sysctl: name: net.ipv4.conf.all.send_redirects value: '0' @@ -14623,7 +16605,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83997-7 - CJIS-5.10.1.1 @@ -14643,16 +16625,12 @@ - reboot_required - sysctl_net_ipv4_conf_all_send_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.conf.default.send_redirects.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool @@ -14661,7 +16639,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83999-3 - CJIS-5.10.1.1 @@ -14681,12 +16659,85 @@ - reboot_required - sysctl_net_ipv4_conf_default_send_redirects -- name: Comment out any occurrences of net.ipv4.conf.default.send_redirects from config files +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Find all files that contain + net.ipv4.conf.default.send_redirects + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253070 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_send_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83999-3 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253070 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.5 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_send_redirects + +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.send_redirects + to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*0$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_253070 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_send_redirects | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83999-3 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253070 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.5 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_send_redirects + +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Comment out any occurrences + of net.ipv4.conf.default.send_redirects from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.send_redirects replace: '#net.ipv4.conf.default.send_redirects' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool @@ -14695,7 +16746,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-83999-3 - CJIS-5.10.1.1 @@ -14715,7 +16768,8 @@ - reboot_required - sysctl_net_ipv4_conf_default_send_redirects -- name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 +- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.send_redirects + is set to 0 ansible.posix.sysctl: name: net.ipv4.conf.default.send_redirects value: '0' @@ -14730,7 +16784,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83999-3 - CJIS-5.10.1.1 @@ -14750,16 +16804,12 @@ - reboot_required - sysctl_net_ipv4_conf_default_send_redirects -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*net.ipv4.ip_forward.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - disable_strategy | bool - low_complexity | bool @@ -14767,7 +16817,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83998-5 - NIST-800-171-3.1.20 @@ -14787,12 +16837,82 @@ - reboot_required - sysctl_net_ipv4_ip_forward -- name: Comment out any occurrences of net.ipv4.ip_forward from config files +- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files that contain net.ipv4.ip_forward + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.ip_forward\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_ip_forward | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83998-5 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.3.1 + - PCI-DSS-Req-1.3.2 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_ip_forward + +- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files that set net.ipv4.ip_forward to correct + value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.ip_forward\s*=\s*0$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_ip_forward | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83998-5 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.3.1 + - PCI-DSS-Req-1.3.2 + - PCI-DSSv4-1.4 + - PCI-DSSv4-1.4.3 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_ip_forward + +- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Comment out any occurrences of net.ipv4.ip_forward + from config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.ip_forward replace: '#net.ipv4.ip_forward' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - disable_strategy | bool - low_complexity | bool @@ -14800,7 +16920,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-83998-5 - NIST-800-171-3.1.20 @@ -14820,7 +16942,7 @@ - reboot_required - sysctl_net_ipv4_ip_forward -- name: Ensure sysctl net.ipv4.ip_forward is set to 0 +- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Ensure sysctl net.ipv4.ip_forward is set to 0 ansible.posix.sysctl: name: net.ipv4.ip_forward value: '0' @@ -14834,7 +16956,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83998-5 - NIST-800-171-3.1.20 @@ -14867,7 +16989,7 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84136-1 - CJIS-5.10.1 @@ -14898,7 +17020,7 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84136-1 - CJIS-5.10.1 @@ -14929,7 +17051,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84064-5 - NIST-800-53-CM-6(a) @@ -14955,7 +17077,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84064-5 - NIST-800-53-CM-6(a) @@ -14982,7 +17104,7 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84139-5 - CJIS-5.10.1 @@ -15015,7 +17137,7 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84139-5 - CJIS-5.10.1 @@ -15048,7 +17170,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84065-2 - DISA-STIG-RHEL-09-213065 @@ -15076,7 +17198,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84065-2 - DISA-STIG-RHEL-09-213065 @@ -15398,6 +17520,31 @@ - no_reboot_needed | bool - restrict_strategy | bool +- name: Verify Permissions and Ownership of Old Passwords File + ansible.builtin.file: + path: /etc/security/opasswd + owner: root + group: root + mode: 384 + state: touch + modification_time: preserve + access_time: preserve + tags: + - CCE-86762-2 + - file_etc_security_opasswd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - file_etc_security_opasswd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - name: Set the file_groupowner_backup_etc_group_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_backup_etc_group_newgroup: '0' @@ -17290,7 +19437,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83853-2 - DISA-STIG-RHEL-09-231195 @@ -17319,7 +19466,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83853-2 - DISA-STIG-RHEL-09-231195 @@ -17347,7 +19494,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86763-0 - NIST-800-171-3.4.6 @@ -17374,7 +19521,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86763-0 - NIST-800-171-3.4.6 @@ -17401,7 +19548,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86764-8 - NIST-800-171-3.4.6 @@ -17428,7 +19575,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86764-8 - NIST-800-171-3.4.6 @@ -17455,7 +19602,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86765-5 - NIST-800-171-3.4.6 @@ -17482,7 +19629,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86765-5 - NIST-800-171-3.4.6 @@ -17509,7 +19656,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86766-3 - NIST-800-171-3.4.6 @@ -17536,7 +19683,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86766-3 - NIST-800-171-3.4.6 @@ -17563,7 +19710,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83855-7 - NIST-800-171-3.4.6 @@ -17590,7 +19737,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83855-7 - NIST-800-171-3.4.6 @@ -17617,7 +19764,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83852-4 - NIST-800-171-3.4.6 @@ -17644,7 +19791,7 @@ - low_severity | bool - medium_disruption | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83852-4 - NIST-800-171-3.4.6 @@ -17671,7 +19818,7 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83851-6 - DISA-STIG-RHEL-09-291010 @@ -17702,7 +19849,7 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83851-6 - DISA-STIG-RHEL-09-291010 @@ -17725,6 +19872,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231110 | bool - configure_strategy | bool @@ -17733,9 +19881,9 @@ - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83881-3 - DISA-STIG-RHEL-09-231110 @@ -17766,9 +19914,9 @@ - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -17807,9 +19955,9 @@ - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -17840,9 +19988,9 @@ - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83881-3 @@ -17875,9 +20023,9 @@ - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: @@ -17901,6 +20049,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231115 | bool - configure_strategy | bool @@ -17909,9 +20058,9 @@ - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83857-3 - DISA-STIG-RHEL-09-231115 @@ -17942,9 +20091,9 @@ - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -17983,9 +20132,9 @@ - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -18016,9 +20165,9 @@ - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83857-3 @@ -18051,9 +20200,9 @@ - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: @@ -18077,6 +20226,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231120 | bool - configure_strategy | bool @@ -18085,9 +20235,9 @@ - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83891-2 - DISA-STIG-RHEL-09-231120 @@ -18118,9 +20268,9 @@ - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -18159,9 +20309,9 @@ - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) @@ -18192,9 +20342,9 @@ - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83891-2 @@ -18227,9 +20377,9 @@ - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: @@ -18253,6 +20403,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231045 | bool - configure_strategy | bool @@ -18261,9 +20412,9 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83871-4 @@ -18289,9 +20440,9 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -18325,9 +20476,9 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -18353,9 +20504,9 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: @@ -18383,9 +20534,9 @@ - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -18404,6 +20555,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool @@ -18412,9 +20564,9 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83894-6 @@ -18446,9 +20598,9 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -18488,9 +20640,9 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -18522,9 +20674,9 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: @@ -18558,9 +20710,9 @@ - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -18585,6 +20737,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231125 | bool - configure_strategy | bool @@ -18593,9 +20746,9 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83869-8 @@ -18627,9 +20780,9 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -18669,9 +20822,9 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -18703,9 +20856,9 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: @@ -18739,9 +20892,9 @@ - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -18766,6 +20919,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool @@ -18774,9 +20928,9 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83885-4 @@ -18808,9 +20962,9 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -18850,9 +21004,9 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -18884,9 +21038,9 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: @@ -18920,9 +21074,9 @@ - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -18947,6 +21101,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool @@ -18955,9 +21110,9 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83872-2 @@ -18989,9 +21144,9 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -19031,9 +21186,9 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -19065,9 +21220,9 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: @@ -19101,9 +21256,9 @@ - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -19128,6 +21283,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231160 | bool - configure_strategy | bool @@ -19136,9 +21292,9 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83882-1 @@ -19170,9 +21326,9 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -19212,9 +21368,9 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -19246,9 +21402,9 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: @@ -19282,9 +21438,9 @@ - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -19309,6 +21465,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231165 | bool - configure_strategy | bool @@ -19317,9 +21474,9 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83878-9 @@ -19351,9 +21508,9 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -19393,9 +21550,9 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -19427,9 +21584,9 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: @@ -19463,9 +21620,9 @@ - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -19490,6 +21647,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231170 | bool - configure_strategy | bool @@ -19498,9 +21656,9 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83893-8 @@ -19532,9 +21690,9 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -19574,9 +21732,9 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -19608,9 +21766,9 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: @@ -19644,9 +21802,9 @@ - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -19671,6 +21829,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231145 | bool - configure_strategy | bool @@ -19679,9 +21838,9 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83886-2 @@ -19713,9 +21872,9 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -19755,9 +21914,9 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -19789,9 +21948,9 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: @@ -19825,9 +21984,9 @@ - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -19852,6 +22011,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool @@ -19860,9 +22020,9 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83887-0 @@ -19894,9 +22054,9 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -19936,9 +22096,9 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -19970,9 +22130,9 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: @@ -20006,9 +22166,9 @@ - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -20033,6 +22193,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool @@ -20041,9 +22202,9 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83870-6 @@ -20075,9 +22236,9 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -20117,9 +22278,9 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -20151,9 +22312,9 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: @@ -20187,9 +22348,9 @@ - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -20214,6 +22375,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231140 | bool - configure_strategy | bool @@ -20222,9 +22384,9 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83868-0 @@ -20256,9 +22418,9 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -20298,9 +22460,9 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -20332,9 +22494,9 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: @@ -20368,9 +22530,9 @@ - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -20395,6 +22557,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - configure_strategy | bool - high_disruption | bool @@ -20402,9 +22565,9 @@ - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83867-2 @@ -20428,9 +22591,9 @@ - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -20462,9 +22625,9 @@ - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -20488,9 +22651,9 @@ - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: @@ -20516,9 +22679,9 @@ - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -20536,6 +22699,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231175 | bool - configure_strategy | bool @@ -20544,9 +22708,9 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83864-9 @@ -20572,9 +22736,9 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -20608,9 +22772,9 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -20636,9 +22800,9 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: @@ -20666,9 +22830,9 @@ - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -20687,6 +22851,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool @@ -20695,9 +22860,9 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83866-4 @@ -20723,9 +22888,9 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -20759,9 +22924,9 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -20787,9 +22952,9 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: @@ -20817,9 +22982,9 @@ - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -20838,6 +23003,7 @@ register: device_name failed_when: device_name.rc > 1 changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool @@ -20846,9 +23012,9 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83863-1 @@ -20874,9 +23040,9 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) @@ -20910,9 +23076,9 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined @@ -20938,9 +23104,9 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: @@ -20968,9 +23134,9 @@ - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages - and not "openshift-kubelet" in ansible_facts.packages ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", - "podman", "container"] ) ) + - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type + in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) @@ -20984,16 +23150,12 @@ - mount_option_var_tmp_nosuid - no_reboot_needed -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Restrict usage of ptrace to descendant processes - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*kernel.yama.ptrace_scope.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool @@ -21002,7 +23164,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 @@ -21014,12 +23176,67 @@ - reboot_required - sysctl_kernel_yama_ptrace_scope -- name: Comment out any occurrences of kernel.yama.ptrace_scope from config files +- name: Restrict usage of ptrace to descendant processes - Find all files that contain kernel.yama.ptrace_scope + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.yama.ptrace_scope\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_213080 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_kernel_yama_ptrace_scope | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83965-4 + - DISA-STIG-RHEL-09-213080 + - NIST-800-53-SC-7(10) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_yama_ptrace_scope + +- name: Restrict usage of ptrace to descendant processes - Find all files that set kernel.yama.ptrace_scope to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.yama.ptrace_scope\s*=\s*1$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_213080 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_kernel_yama_ptrace_scope | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83965-4 + - DISA-STIG-RHEL-09-213080 + - NIST-800-53-SC-7(10) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_yama_ptrace_scope + +- name: Restrict usage of ptrace to descendant processes - Comment out any occurrences of kernel.yama.ptrace_scope from config + files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*kernel.yama.ptrace_scope replace: '#kernel.yama.ptrace_scope' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool @@ -21028,7 +23245,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 @@ -21040,7 +23259,7 @@ - reboot_required - sysctl_kernel_yama_ptrace_scope -- name: Ensure sysctl kernel.yama.ptrace_scope is set to 1 +- name: Restrict usage of ptrace to descendant processes - Ensure sysctl kernel.yama.ptrace_scope is set to 1 ansible.posix.sysctl: name: kernel.yama.ptrace_scope value: '1' @@ -21055,7 +23274,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 @@ -21088,6 +23307,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83984-5 @@ -21116,6 +23336,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83984-5 @@ -21148,6 +23369,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list @@ -21184,6 +23406,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: @@ -21222,6 +23445,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83979-5 @@ -21250,6 +23474,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83979-5 @@ -21282,6 +23507,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list @@ -21318,6 +23544,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: @@ -21335,16 +23562,12 @@ - no_reboot_needed - restrict_strategy -- name: List /etc/sysctl.d/*.conf files - ansible.builtin.find: - paths: +- name: Enable Randomized Layout of Virtual Address Space - Set fact for sysctl paths + ansible.builtin.set_fact: + sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ - contains: ^[\s]*kernel.randomize_va_space.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d when: - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool @@ -21353,7 +23576,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 @@ -21372,12 +23595,81 @@ - reboot_required - sysctl_kernel_randomize_va_space -- name: Comment out any occurrences of kernel.randomize_va_space from config files +- name: Enable Randomized Layout of Virtual Address Space - Find all files that contain kernel.randomize_va_space + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.randomize_va_space\s*=\s*.*$' + register: find_all_values + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_213070 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_kernel_randomize_va_space | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83971-2 + - DISA-STIG-RHEL-09-213070 + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-30 + - NIST-800-53-SC-30(2) + - PCI-DSS-Req-2.2.1 + - PCI-DSSv4-3.3 + - PCI-DSSv4-3.3.1 + - PCI-DSSv4-3.3.1.1 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_randomize_va_space + +- name: Enable Randomized Layout of Virtual Address Space - Find all files that set kernel.randomize_va_space to correct value + ansible.builtin.shell: + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.randomize_va_space\s*=\s*2$' + register: find_correct_value + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_213070 | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_kernel_randomize_va_space | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83971-2 + - DISA-STIG-RHEL-09-213070 + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-30 + - NIST-800-53-SC-30(2) + - PCI-DSS-Req-2.2.1 + - PCI-DSSv4-3.3 + - PCI-DSSv4-3.3.1 + - PCI-DSSv4-3.3.1.1 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_randomize_va_space + +- name: Enable Randomized Layout of Virtual Address Space - Comment out any occurrences of kernel.randomize_va_space from + config files ansible.builtin.replace: - path: '{{ item.path }}' + path: '{{ item | split(":") | first }}' regexp: ^[\s]*kernel.randomize_va_space replace: '#kernel.randomize_va_space' - loop: '{{ find_sysctl_d.files }}' + loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool @@ -21386,7 +23678,9 @@ - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines + | length tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 @@ -21405,7 +23699,7 @@ - reboot_required - sysctl_kernel_randomize_va_space -- name: Ensure sysctl kernel.randomize_va_space is set to 2 +- name: Enable Randomized Layout of Virtual Address Space - Ensure sysctl kernel.randomize_va_space is set to 2 ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' @@ -21420,7 +23714,7 @@ - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 @@ -21452,7 +23746,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 @@ -21482,7 +23776,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 @@ -21510,7 +23804,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 @@ -21538,7 +23832,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 @@ -21566,7 +23860,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' - result_grub2_cfg_present.stat.exists tags: @@ -21595,7 +23889,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' - result_default_grub_present.stat.exists tags: @@ -21613,6 +23907,29 @@ - no_reboot_needed - restrict_strategy +- name: Ensure SELinux is Not Disabled - Check current SELinux state + ansible.builtin.command: + cmd: getenforce + register: selinux_state + check_mode: false + changed_when: false + when: + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - reboot_required | bool + - restrict_strategy | bool + - selinux_not_disabled | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86152-6 + - high_severity + - low_complexity + - low_disruption + - reboot_required + - restrict_strategy + - selinux_not_disabled + - name: Ensure SELinux is Not Disabled block: - name: Check for duplicate values @@ -21645,7 +23962,7 @@ - reboot_required | bool - restrict_strategy | bool - selinux_not_disabled | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86152-6 - high_severity @@ -21655,10 +23972,12 @@ - restrict_strategy - selinux_not_disabled -- name: ' - Mark system to relabel SELinux on next boot' +- name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next boot ansible.builtin.file: path: /.autorelabel state: touch + access_time: preserve + modification_time: preserve when: - high_severity | bool - low_complexity | bool @@ -21666,7 +23985,8 @@ - reboot_required | bool - restrict_strategy | bool - selinux_not_disabled | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - selinux_state.stdout | lower != "permissive" tags: - CCE-86152-6 - high_severity @@ -21709,7 +24029,7 @@ - medium_severity | bool - no_reboot_needed | bool - selinux_policytype | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84074-4 - DISA-STIG-RHEL-09-431015 @@ -21728,6 +24048,39 @@ - no_reboot_needed - selinux_policytype +- name: Ensure SELinux State is Enforcing - Check current SELinux state + ansible.builtin.command: + cmd: getenforce + register: selinux_state + check_mode: false + changed_when: false + when: + - DISA_STIG_RHEL_09_431010 | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - selinux_state | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84079-3 + - DISA-STIG-RHEL-09-431010 + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - NIST-800-53-AU-9 + - NIST-800-53-SC-7(21) + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.6 + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - selinux_state + - name: Ensure SELinux State is Enforcing block: - name: Check for duplicate values @@ -21761,7 +24114,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - selinux_state | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84079-3 - DISA-STIG-RHEL-09-431010 @@ -21780,10 +24133,12 @@ - restrict_strategy - selinux_state -- name: ' - Mark system to relabel SELinux on next boot' +- name: Ensure SELinux State is Enforcing - Mark system to relabel SELinux on next boot ansible.builtin.file: path: /.autorelabel state: touch + access_time: preserve + modification_time: preserve when: - DISA_STIG_RHEL_09_431010 | bool - high_severity | bool @@ -21792,7 +24147,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - selinux_state | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - selinux_state.stdout | lower != var_selinux_state tags: - CCE-84079-3 - DISA-STIG-RHEL-09-431010 @@ -21822,7 +24178,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84177-5 - DISA-STIG-RHEL-09-232235 @@ -21851,7 +24207,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84177-5 - DISA-STIG-RHEL-09-232235 @@ -21877,7 +24233,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84170-0 - DISA-STIG-RHEL-09-232235 @@ -21906,7 +24262,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84170-0 - DISA-STIG-RHEL-09-232235 @@ -21932,7 +24288,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84186-6 - DISA-STIG-RHEL-09-232235 @@ -21961,7 +24317,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84186-6 - DISA-STIG-RHEL-09-232235 @@ -21987,7 +24343,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84189-0 - DISA-STIG-RHEL-09-232235 @@ -22016,7 +24372,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84189-0 - DISA-STIG-RHEL-09-232235 @@ -22042,7 +24398,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84174-2 - DISA-STIG-RHEL-09-232235 @@ -22071,7 +24427,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84174-2 - DISA-STIG-RHEL-09-232235 @@ -22097,7 +24453,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84171-8 - DISA-STIG-RHEL-09-232235 @@ -22124,7 +24480,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84171-8 - DISA-STIG-RHEL-09-232235 @@ -22152,7 +24508,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-84171-8 @@ -22179,7 +24535,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84169-2 - DISA-STIG-RHEL-09-232230 @@ -22208,7 +24564,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84169-2 - DISA-STIG-RHEL-09-232230 @@ -22234,7 +24590,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84188-2 - DISA-STIG-RHEL-09-232230 @@ -22263,7 +24619,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84188-2 - DISA-STIG-RHEL-09-232230 @@ -22289,7 +24645,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84168-4 - DISA-STIG-RHEL-09-232230 @@ -22318,7 +24674,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84168-4 - DISA-STIG-RHEL-09-232230 @@ -22344,7 +24700,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84179-1 - DISA-STIG-RHEL-09-232230 @@ -22373,7 +24729,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84179-1 - DISA-STIG-RHEL-09-232230 @@ -22399,7 +24755,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84190-8 - DISA-STIG-RHEL-09-232230 @@ -22428,7 +24784,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84190-8 - DISA-STIG-RHEL-09-232230 @@ -22454,7 +24810,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84167-6 - DISA-STIG-RHEL-09-232230 @@ -22481,7 +24837,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84167-6 - DISA-STIG-RHEL-09-232230 @@ -22509,7 +24865,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-84167-6 @@ -22539,7 +24895,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84183-3 - DISA-STIG-RHEL-09-232040 @@ -22569,7 +24925,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84183-3 - DISA-STIG-RHEL-09-232040 @@ -22598,7 +24954,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84175-9 - DISA-STIG-RHEL-09-232040 @@ -22628,7 +24984,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84175-9 - DISA-STIG-RHEL-09-232040 @@ -22657,7 +25013,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84173-4 - DISA-STIG-RHEL-09-232040 @@ -22687,7 +25043,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84173-4 - DISA-STIG-RHEL-09-232040 @@ -22716,7 +25072,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84181-7 - DISA-STIG-RHEL-09-232040 @@ -22746,7 +25102,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84181-7 - DISA-STIG-RHEL-09-232040 @@ -22775,7 +25131,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84187-4 - DISA-STIG-RHEL-09-232040 @@ -22805,7 +25161,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84187-4 - DISA-STIG-RHEL-09-232040 @@ -22831,7 +25187,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84176-7 - NIST-800-53-AC-6(1) @@ -22856,7 +25212,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-84176-7 @@ -22871,7 +25227,32 @@ - medium_severity - no_reboot_needed -- name: Remove /etc/at.deny +- name: Ensure that /etc/at.allow exists - Add empty /etc/at.allow + ansible.builtin.file: + path: /etc/at.allow + state: touch + owner: '0' + mode: '0640' + modification_time: preserve + access_time: preserve + when: + - disable_strategy | bool + - file_at_allow_exists | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86856-2 + - disable_strategy + - file_at_allow_exists + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure that /etc/at.deny does not exist - Remove /etc/at.deny ansible.builtin.file: path: /etc/at.deny state: absent @@ -22882,7 +25263,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86946-1 - PCI-DSSv4-2.2 @@ -22894,12 +25275,14 @@ - medium_severity - no_reboot_needed -- name: Add empty /etc/cron.allow +- name: Ensure that /etc/cron.allow exists - Add empty /etc/cron.allow ansible.builtin.file: path: /etc/cron.allow state: touch owner: '0' mode: '0600' + modification_time: preserve + access_time: preserve when: - disable_strategy | bool - file_cron_allow_exists | bool @@ -22907,7 +25290,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86185-6 - disable_strategy @@ -22917,7 +25300,7 @@ - medium_severity - no_reboot_needed -- name: Remove /etc/cron.deny +- name: Ensure that /etc/cron.deny does not exist - Remove /etc/cron.deny ansible.builtin.file: path: /etc/cron.deny state: absent @@ -22928,7 +25311,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86850-5 - PCI-DSSv4-2.2 @@ -22950,7 +25333,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87103-8 - PCI-DSSv4-2.2 @@ -22973,7 +25356,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87103-8 - PCI-DSSv4-2.2 @@ -22997,7 +25380,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-87103-8 @@ -23020,7 +25403,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86830-7 - NIST-800-53-AC-6(1) @@ -23045,7 +25428,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86830-7 - NIST-800-53-AC-6(1) @@ -23071,7 +25454,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86830-7 @@ -23096,7 +25479,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86844-8 - NIST-800-53-AC-6(1) @@ -23121,7 +25504,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86844-8 - NIST-800-53-AC-6(1) @@ -23147,7 +25530,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86844-8 @@ -23173,7 +25556,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86904-0 - PCI-DSSv4-2.2 @@ -23185,10 +25568,10 @@ - medium_severity - no_reboot_needed -- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/at.allow +- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/at.allow ansible.builtin.file: path: /etc/at.allow - mode: u-xs,g-xwrs,o-xwrt + mode: u-xs,g-xws,o-xwrt when: - configure_strategy | bool - file_permissions_at_allow | bool @@ -23196,7 +25579,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86904-0 @@ -23220,7 +25603,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86877-8 - PCI-DSSv4-2.2 @@ -23243,7 +25626,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86877-8 @@ -23271,7 +25654,7 @@ - no_reboot_needed | bool - postfix_network_listening_disabled | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"postfix" in ansible_facts.packages' - '"postfix" in ansible_facts.packages' tags: @@ -23302,7 +25685,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' tags: - CCE-84218-7 @@ -23334,7 +25717,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' - chrony_servers.matched == 0 tags: @@ -23365,7 +25748,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' tags: - CCE-84108-0 @@ -23390,7 +25773,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' - chronyd_file is defined and chronyd_file.matched > 0 tags: @@ -23496,7 +25879,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90817-8 - DISA-STIG-RHEL-09-255105 @@ -23522,7 +25905,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90817-8 - DISA-STIG-RHEL-09-255105 @@ -23549,7 +25932,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90817-8 @@ -23576,7 +25959,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_groupownership_sshd_private_key_newgroup is undefined tags: - CCE-86127-8 @@ -23597,7 +25980,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_facts.getent_group["ssh_keys"] is defined tags: - CCE-86127-8 @@ -23621,7 +26004,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86127-8 - configure_strategy @@ -23646,7 +26029,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86127-8 - configure_strategy @@ -23666,7 +26049,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86136-9 - configure_strategy @@ -23689,7 +26072,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86136-9 - configure_strategy @@ -23714,7 +26097,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86136-9 - configure_strategy @@ -23735,7 +26118,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90821-0 - DISA-STIG-RHEL-09-255110 @@ -23761,7 +26144,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90821-0 - DISA-STIG-RHEL-09-255110 @@ -23788,7 +26171,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90821-0 @@ -23813,7 +26196,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86119-5 - configure_strategy @@ -23836,7 +26219,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86119-5 - configure_strategy @@ -23861,7 +26244,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86119-5 - configure_strategy @@ -23881,7 +26264,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86130-2 - configure_strategy @@ -23904,7 +26287,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86130-2 - configure_strategy @@ -23929,7 +26312,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86130-2 - configure_strategy @@ -23951,7 +26334,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90818-6 - DISA-STIG-RHEL-09-255115 @@ -23979,7 +26362,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90818-6 @@ -24010,7 +26393,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 @@ -24044,7 +26427,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 @@ -24077,7 +26460,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 @@ -24111,7 +26494,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 @@ -24145,7 +26528,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90819-4 - DISA-STIG-RHEL-09-255125 @@ -24179,7 +26562,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90819-4 - DISA-STIG-RHEL-09-255125 @@ -24198,6 +26581,78 @@ - medium_severity - no_reboot_needed +- name: Set SSH Client Alive Count Max - Check if the parameter ClientAliveCountMax is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255095 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_keepalive | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90805-3 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255095 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_keepalive + +- name: Set SSH Client Alive Count Max - Check if the parameter ClientAliveCountMax is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+{{ var_sshd_set_keepalive }}$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255095 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_keepalive | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90805-3 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255095 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_keepalive + - name: Set SSH Client Alive Count Max block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24243,7 +26698,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_keepalive | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90805-3 - CJIS-5.5.6 @@ -24269,6 +26725,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255095 | bool - low_complexity | bool @@ -24277,7 +26735,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_keepalive | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90805-3 - CJIS-5.5.6 @@ -24298,6 +26756,82 @@ - restrict_strategy - sshd_set_keepalive +- name: Set SSH Client Alive Interval - Check if the parameter ClientAliveInterval is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255100 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_idle_timeout | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90811-1 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255100 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_idle_timeout + +- name: Set SSH Client Alive Interval - Check if the parameter ClientAliveInterval is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+{{ sshd_idle_timeout_value }}$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255100 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_idle_timeout | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90811-1 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255100 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2 + - PCI-DSSv4-8.2.8 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_idle_timeout + - name: Set SSH Client Alive Interval block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24343,7 +26877,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_idle_timeout | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90811-1 - CJIS-5.5.6 @@ -24371,6 +26906,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255100 | bool - low_complexity | bool @@ -24379,7 +26916,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_idle_timeout | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90811-1 - CJIS-5.5.6 @@ -24402,6 +26939,76 @@ - restrict_strategy - sshd_set_idle_timeout +- name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255080 | bool + - disable_host_auth | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90816-0 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255080 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-3 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSSv4-8.3 + - PCI-DSSv4-8.3.1 + - disable_host_auth + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+no$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255080 | bool + - disable_host_auth | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90816-0 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255080 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-3 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSSv4-8.3 + - PCI-DSSv4-8.3.1 + - disable_host_auth + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Disable Host-Based Authentication block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24447,7 +27054,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90816-0 - CJIS-5.5.6 @@ -24472,6 +27080,8 @@ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255080 | bool - disable_host_auth | bool @@ -24480,7 +27090,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90816-0 - CJIS-5.5.6 @@ -24500,6 +27110,78 @@ - no_reboot_needed - restrict_strategy +- name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255040 | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_empty_passwords | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90799-8 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255040 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sshd_disable_empty_passwords + +- name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+no$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255040 | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_empty_passwords | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90799-8 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255040 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sshd_disable_empty_passwords + - name: Disable SSH Access via Empty Passwords block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24545,7 +27227,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_empty_passwords | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90799-8 - CJIS-5.5.6 @@ -24571,6 +27254,8 @@ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255040 | bool - high_severity | bool @@ -24579,7 +27264,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_empty_passwords | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90799-8 - CJIS-5.5.6 @@ -24600,6 +27285,195 @@ - restrict_strategy - sshd_disable_empty_passwords +- name: Disable SSH Forwarding - Check if the parameter DisableForwarding is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_forwarding | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90197-5 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_forwarding + +- name: Disable SSH Forwarding - Check if the parameter DisableForwarding is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+yes$ + register: _sshd_config_correctly + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_forwarding | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90197-5 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_forwarding + +- name: Disable SSH Forwarding + block: + - name: Deduplicate values from /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ + state: absent + - name: Check if /etc/ssh/sshd_config.d exists + ansible.builtin.stat: + path: /etc/ssh/sshd_config.d + register: _etc_ssh_sshd_config_d_exists + - name: Check if the parameter DisableForwarding is present in /etc/ssh/sshd_config.d + ansible.builtin.find: + paths: /etc/ssh/sshd_config.d + recurse: 'yes' + follow: 'no' + contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ + register: _etc_ssh_sshd_config_d_has_parameter + when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir + - name: Remove parameter from files in /etc/ssh/sshd_config.d + ansible.builtin.lineinfile: + path: '{{ item.path }}' + create: false + regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ + state: absent + with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' + when: _etc_ssh_sshd_config_d_has_parameter.matched + - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + create: true + regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ + line: DisableForwarding yes + state: present + insertbefore: BOF + validate: /usr/sbin/sshd -t -f %s + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_forwarding | bool + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 + tags: + - CCE-90197-5 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_forwarding + +- name: Disable SSH Forwarding - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + mode: '0600' + state: touch + modification_time: preserve + access_time: preserve + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_forwarding | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90197-5 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_forwarding + +- name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255135 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_gssapi_auth | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90808-7 + - DISA-STIG-RHEL-09-255135 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_gssapi_auth + +- name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+no$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255135 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_gssapi_auth | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90808-7 + - DISA-STIG-RHEL-09-255135 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_gssapi_auth + - name: Disable GSSAPI Authentication block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24645,7 +27519,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_gssapi_auth | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90808-7 - DISA-STIG-RHEL-09-255135 @@ -24666,6 +27541,8 @@ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255135 | bool - low_complexity | bool @@ -24674,7 +27551,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_gssapi_auth | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90808-7 - DISA-STIG-RHEL-09-255135 @@ -24690,6 +27567,74 @@ - restrict_strategy - sshd_disable_gssapi_auth +- name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255145 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_rhosts | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90797-2 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255145 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_rhosts + +- name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+yes$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255145 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_rhosts | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90797-2 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255145 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_rhosts + - name: Disable SSH Support for .rhosts Files block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24735,7 +27680,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_rhosts | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90797-2 - CJIS-5.5.6 @@ -24759,6 +27705,8 @@ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255145 | bool - low_complexity | bool @@ -24767,7 +27715,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_rhosts | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90797-2 - CJIS-5.5.6 @@ -24786,6 +27734,84 @@ - restrict_strategy - sshd_disable_rhosts +- name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255045 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_root_login | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90800-4 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255045 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(2) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-2 + - NIST-800-53-IA-2(5) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_root_login + +- name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+no$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255045 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_root_login | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90800-4 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255045 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(2) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-2 + - NIST-800-53-IA-2(5) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_root_login + - name: Disable SSH Root Login block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24831,7 +27857,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_root_login | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90800-4 - CJIS-5.5.6 @@ -24860,6 +27887,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255045 | bool - low_complexity | bool @@ -24868,7 +27897,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_root_login | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90800-4 - CJIS-5.5.6 @@ -24892,6 +27921,76 @@ - restrict_strategy - sshd_disable_root_login +- name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255085 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_do_not_permit_user_env | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90803-8 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255085 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_do_not_permit_user_env + +- name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+no$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255085 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_do_not_permit_user_env | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90803-8 + - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255085 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_do_not_permit_user_env + - name: Do Not Allow SSH Environment Options block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -24937,7 +28036,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_do_not_permit_user_env | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90803-8 - CJIS-5.5.6 @@ -24962,6 +28062,8 @@ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255085 | bool - low_complexity | bool @@ -24970,7 +28072,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_do_not_permit_user_env | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90803-8 - CJIS-5.5.6 @@ -24990,6 +28092,62 @@ - restrict_strategy - sshd_do_not_permit_user_env +- name: Enable PAM - Check if the parameter UsePAM is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255050 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_enable_pam | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86722-6 + - DISA-STIG-RHEL-09-255050 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_pam + +- name: Enable PAM - Check if the parameter UsePAM is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+yes$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255050 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_enable_pam | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86722-6 + - DISA-STIG-RHEL-09-255050 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_pam + - name: Enable PAM block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25035,7 +28193,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_pam | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86722-6 - DISA-STIG-RHEL-09-255050 @@ -25053,6 +28212,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255050 | bool - low_complexity | bool @@ -25061,7 +28222,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_pam | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86722-6 - DISA-STIG-RHEL-09-255050 @@ -25074,6 +28235,66 @@ - restrict_strategy - sshd_enable_pam +- name: Enable SSH Warning Banner - Check if the parameter Banner is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_enable_warning_banner_net | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87979-1 + - CJIS-5.5.6 + - NIST-800-171-3.1.9 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_warning_banner_net + +- name: Enable SSH Warning Banner - Check if the parameter Banner is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+/etc/issue.net$ + register: _sshd_config_correctly + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_enable_warning_banner_net | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87979-1 + - CJIS-5.5.6 + - NIST-800-171-3.1.9 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_warning_banner_net + - name: Enable SSH Warning Banner block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25118,7 +28339,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_warning_banner_net | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-87979-1 - CJIS-5.5.6 @@ -25139,6 +28361,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - low_complexity | bool - low_disruption | bool @@ -25146,7 +28370,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_warning_banner_net | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87979-1 - CJIS-5.5.6 @@ -25162,6 +28386,58 @@ - restrict_strategy - sshd_enable_warning_banner_net +- name: Ensure SSH LoginGraceTime is configured - Check if the parameter LoginGraceTime is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_login_grace_time | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86552-7 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_login_grace_time + +- name: Ensure SSH LoginGraceTime is configured - Check if the parameter LoginGraceTime is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+{{ var_sshd_set_login_grace_time }}$ + register: _sshd_config_correctly + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_login_grace_time | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86552-7 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_login_grace_time + - name: Ensure SSH LoginGraceTime is configured block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25206,7 +28482,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_login_grace_time | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86552-7 - PCI-DSSv4-2.2 @@ -25223,6 +28500,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - low_complexity | bool - low_disruption | bool @@ -25230,7 +28509,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_login_grace_time | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86552-7 - PCI-DSSv4-2.2 @@ -25242,6 +28521,70 @@ - restrict_strategy - sshd_set_login_grace_time +- name: Set SSH Daemon LogLevel to VERBOSE - Check if the parameter LogLevel is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - DISA_STIG_RHEL_09_255030 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_loglevel_verbose | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86923-0 + - DISA-STIG-RHEL-09-255030 + - NIST-800-53-AC-17(1) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_loglevel_verbose + +- name: Set SSH Daemon LogLevel to VERBOSE - Check if the parameter LogLevel is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+VERBOSE$ + register: _sshd_config_correctly + when: + - DISA_STIG_RHEL_09_255030 | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_loglevel_verbose | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86923-0 + - DISA-STIG-RHEL-09-255030 + - NIST-800-53-AC-17(1) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.4 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_loglevel_verbose + - name: Set SSH Daemon LogLevel to VERBOSE block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25287,7 +28630,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_loglevel_verbose | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86923-0 - DISA-STIG-RHEL-09-255030 @@ -25309,6 +28653,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - DISA_STIG_RHEL_09_255030 | bool - low_complexity | bool @@ -25317,7 +28663,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_loglevel_verbose | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86923-0 - DISA-STIG-RHEL-09-255030 @@ -25334,6 +28680,58 @@ - restrict_strategy - sshd_set_loglevel_verbose +- name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_max_auth_tries | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90810-3 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_max_auth_tries + +- name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+{{ sshd_max_auth_tries_value }}$ + register: _sshd_config_correctly + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_max_auth_tries | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-90810-3 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_max_auth_tries + - name: Set SSH authentication attempt limit block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25378,7 +28776,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_auth_tries | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90810-3 - PCI-DSSv4-2.2 @@ -25395,6 +28794,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - low_complexity | bool - low_disruption | bool @@ -25402,7 +28803,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_auth_tries | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90810-3 - PCI-DSSv4-2.2 @@ -25414,6 +28815,58 @@ - restrict_strategy - sshd_set_max_auth_tries +- name: Set SSH MaxSessions limit - Check if the parameter MaxSessions is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_max_sessions | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84103-1 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_max_sessions + +- name: Set SSH MaxSessions limit - Check if the parameter MaxSessions is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+{{ var_sshd_max_sessions }}$ + register: _sshd_config_correctly + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_max_sessions | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-84103-1 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_max_sessions + - name: Set SSH MaxSessions limit block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25458,7 +28911,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_sessions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-84103-1 - PCI-DSSv4-2.2 @@ -25475,6 +28929,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - low_complexity | bool - low_disruption | bool @@ -25482,7 +28938,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_sessions | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84103-1 - PCI-DSSv4-2.2 @@ -25494,6 +28950,58 @@ - restrict_strategy - sshd_set_max_sessions +- name: Ensure SSH MaxStartups is configured - Check if the parameter MaxStartups is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_maxstartups | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87872-8 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_maxstartups + +- name: Ensure SSH MaxStartups is configured - Check if the parameter MaxStartups is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+{{ var_sshd_set_maxstartups }}$ + register: _sshd_config_correctly + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_maxstartups | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-87872-8 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_maxstartups + - name: Ensure SSH MaxStartups is configured block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25538,7 +29046,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_maxstartups | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-87872-8 - PCI-DSSv4-2.2 @@ -25555,6 +29064,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - low_complexity | bool - low_disruption | bool @@ -25562,7 +29073,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_maxstartups | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87872-8 - PCI-DSSv4-2.2 @@ -25574,6 +29085,60 @@ - restrict_strategy - sshd_set_maxstartups +- name: Use Only Strong Key Exchange algorithms - Check if the parameter KexAlgorithms is configured + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ + register: _sshd_config_has_parameter + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_use_strong_kex | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86768-9 + - PCI-DSS-Req-2.3 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.7 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_use_strong_kex + +- name: Use Only Strong Key Exchange algorithms - Check if the parameter KexAlgorithms is configured correctly + ansible.builtin.find: + paths: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d + contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+{{ sshd_strong_kex }}$ + register: _sshd_config_correctly + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_use_strong_kex | bool + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86768-9 + - PCI-DSS-Req-2.3 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.7 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_use_strong_kex + - name: Use Only Strong Key Exchange algorithms block: - name: Deduplicate values from /etc/ssh/sshd_config @@ -25618,7 +29183,8 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_use_strong_kex | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86768-9 - PCI-DSS-Req-2.3 @@ -25636,6 +29202,8 @@ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch + modification_time: preserve + access_time: preserve when: - low_complexity | bool - low_disruption | bool @@ -25643,7 +29211,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - sshd_use_strong_kex | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86768-9 - PCI-DSS-Req-2.3 @@ -25656,84 +29224,6 @@ - restrict_strategy - sshd_use_strong_kex -- name: Use Only Strong MACs - block: - - name: Deduplicate values from /etc/ssh/sshd_config - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)(?i)^\s*{{ "MACs"| regex_escape }}\s+ - state: absent - - name: Check if /etc/ssh/sshd_config.d exists - ansible.builtin.stat: - path: /etc/ssh/sshd_config.d - register: _etc_ssh_sshd_config_d_exists - - name: Check if the parameter MACs is present in /etc/ssh/sshd_config.d - ansible.builtin.find: - paths: /etc/ssh/sshd_config.d - recurse: 'yes' - follow: 'no' - contains: (?i)^\s*{{ "MACs"| regex_escape }}\s+ - register: _etc_ssh_sshd_config_d_has_parameter - when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - - name: Remove parameter from files in /etc/ssh/sshd_config.d - ansible.builtin.lineinfile: - path: '{{ item.path }}' - create: false - regexp: (?i)(?i)^\s*{{ "MACs"| regex_escape }}\s+ - state: absent - with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' - when: _etc_ssh_sshd_config_d_has_parameter.matched - - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - create: true - regexp: (?i)(?i)^\s*{{ "MACs"| regex_escape }}\s+ - line: MACs {{ sshd_strong_macs }} - state: present - insertbefore: BOF - validate: /usr/sbin/sshd -t -f %s - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_use_strong_macs | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86769-7 - - NIST-800-53-AC-17 (2) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_use_strong_macs - -- name: Use Only Strong MACs - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - ansible.builtin.file: - path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf - mode: '0600' - state: touch - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_use_strong_macs | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-86769-7 - - NIST-800-53-AC-17 (2) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_use_strong_macs - - name: Switch to multi-user runlevel ansible.builtin.file: src: /usr/lib/systemd/system/multi-user.target @@ -25748,7 +29238,7 @@ - reboot_required | bool - restrict_strategy | bool - xwindows_runlevel_target | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-84105-6 - DISA-STIG-RHEL-09-211030 @@ -25762,8 +29252,10 @@ - restrict_strategy - xwindows_runlevel_target -- name: Update grub defaults and the bootloader menu - ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit=1" +- name: Check if audit argument is already present in /etc/default/grub + ansible.builtin.slurp: + src: /etc/default/grub + register: etc_default_grub when: - DISA_STIG_RHEL_09_212055 | bool - grub2_audit_argument | bool @@ -25772,7 +29264,43 @@ - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - '"grub2-common" in ansible_facts.packages' + tags: + - CCE-83651-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-212055 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 + - PCI-DSSv4-10.7.2 + - grub2_audit_argument + - low_disruption + - low_severity + - medium_complexity + - reboot_required + - restrict_strategy + +- name: Check if audit argument is already present + ansible.builtin.command: /sbin/grubby --info=ALL + register: grubby_info + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_212055 | bool + - grub2_audit_argument | bool + - low_disruption | bool + - low_severity | bool + - medium_complexity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-83651-0 @@ -25795,7 +29323,42 @@ - restrict_strategy - name: Update grub defaults and the bootloader menu - ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit=1" + when: + - DISA_STIG_RHEL_09_212055 | bool + - grub2_audit_argument | bool + - low_disruption | bool + - low_severity | bool + - medium_complexity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - '"grub2-common" in ansible_facts.packages' + - (grubby_info.stdout is not search('audit=1')) or ((etc_default_grub['content'] | b64decode) is not search('audit=1')) + tags: + - CCE-83651-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-212055 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 + - PCI-DSSv4-10.7.2 + - grub2_audit_argument + - low_disruption + - low_severity + - medium_complexity + - reboot_required + - restrict_strategy + +- name: Check if audit_backlog_limit argument is already present in /etc/default/grub + ansible.builtin.slurp: + src: /etc/default/grub + register: etc_default_grub when: - DISA_STIG_RHEL_09_653120 | bool - grub2_audit_backlog_limit_argument | bool @@ -25804,7 +29367,7 @@ - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-83652-8 @@ -25819,7 +29382,63 @@ - reboot_required - restrict_strategy -- name: Collect all files from /etc/audit/rules.d with .rules extension +- name: Check if audit_backlog_limit argument is already present + ansible.builtin.command: /sbin/grubby --info=ALL + register: grubby_info + check_mode: false + changed_when: false + failed_when: false + when: + - DISA_STIG_RHEL_09_653120 | bool + - grub2_audit_backlog_limit_argument | bool + - low_disruption | bool + - low_severity | bool + - medium_complexity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - '"grub2-common" in ansible_facts.packages' + tags: + - CCE-83652-8 + - DISA-STIG-RHEL-09-653120 + - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.7 + - PCI-DSSv4-10.7.2 + - grub2_audit_backlog_limit_argument + - low_disruption + - low_severity + - medium_complexity + - reboot_required + - restrict_strategy + +- name: Update grub defaults and the bootloader menu + ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit={{ var_audit_backlog_limit }}" + when: + - DISA_STIG_RHEL_09_653120 | bool + - grub2_audit_backlog_limit_argument | bool + - low_disruption | bool + - low_severity | bool + - medium_complexity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"kernel-core" in ansible_facts.packages' + - '"grub2-common" in ansible_facts.packages' + - (grubby_info.stdout is not search('audit_backlog_limit=' ~ var_audit_backlog_limit)) or ((etc_default_grub['content'] + | b64decode) is not search('audit_backlog_limit=' ~ var_audit_backlog_limit)) + tags: + - CCE-83652-8 + - DISA-STIG-RHEL-09-653120 + - NIST-800-53-CM-6(a) + - PCI-DSSv4-10.7 + - PCI-DSSv4-10.7.2 + - grub2_audit_backlog_limit_argument + - low_disruption + - low_severity + - medium_complexity + - reboot_required + - restrict_strategy + +- name: Make the auditd Configuration Immutable - Collect all files from /etc/audit/rules.d with .rules extension ansible.builtin.find: paths: /etc/audit/rules.d/ patterns: '*.rules' @@ -25833,7 +29452,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83716-1 - CJIS-5.4.1.1 @@ -25852,10 +29471,111 @@ - reboot_required - restrict_strategy -- name: Remove the -e option from all Audit config files +- name: Make the auditd Configuration Immutable - Check if target files exist and get their content + ansible.builtin.stat: + path: '{{ item }}' + register: audit_files_stat + loop: + - /etc/audit/audit.rules + - /etc/audit/rules.d/immutable.rules + when: + - DISA_STIG_RHEL_09_654275 | bool + - audit_rules_immutable | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83716-1 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3 + - PCI-DSSv4-10.3.2 + - audit_rules_immutable + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Make the auditd Configuration Immutable - Read content of existing audit files + ansible.builtin.slurp: + src: '{{ item.item }}' + register: audit_files_content + loop: '{{ audit_files_stat.results }}' + when: + - DISA_STIG_RHEL_09_654275 | bool + - audit_rules_immutable | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - item.stat.exists + tags: + - CCE-83716-1 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3 + - PCI-DSSv4-10.3.2 + - audit_rules_immutable + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Make the auditd Configuration Immutable - Check if -e 2 is already correctly set in target files + ansible.builtin.set_fact: + immutable_correctly_set: "{{\n audit_files_content.results\n | selectattr('content', 'defined')\n | map(attribute='content')\n\ + \ | map('b64decode')\n | select('search', '^-e 2$', multiline=True)\n | list\n | length == 2\n}}" + when: + - DISA_STIG_RHEL_09_654275 | bool + - audit_rules_immutable | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-83716-1 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3 + - PCI-DSSv4-10.3.2 + - audit_rules_immutable + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Make the auditd Configuration Immutable - Remove any existing -e option from all Audit config files ansible.builtin.lineinfile: path: '{{ item }}' - regexp: ^\s*(?:-e)\s+.*$ + regexp: ^\s*-e\s+.*$ state: absent loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' when: @@ -25867,7 +29587,8 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - not immutable_correctly_set tags: - CCE-83716-1 - CJIS-5.4.1.1 @@ -25886,11 +29607,49 @@ - reboot_required - restrict_strategy -- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules +- name: Make the auditd Configuration Immutable - Ensure target directories exist + ansible.builtin.file: + path: '{{ item | dirname }}' + state: directory + mode: '0750' + loop: + - /etc/audit/audit.rules + - /etc/audit/rules.d/immutable.rules + when: + - DISA_STIG_RHEL_09_654275 | bool + - audit_rules_immutable | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - not immutable_correctly_set + tags: + - CCE-83716-1 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3 + - PCI-DSSv4-10.3.2 + - audit_rules_immutable + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Make the auditd Configuration Immutable - Add Audit -e 2 option to make rules immutable ansible.builtin.lineinfile: path: '{{ item }}' create: true line: -e 2 + regexp: ^\s*-e\s+.*$ mode: g-rwx,o-rwx loop: - /etc/audit/audit.rules @@ -25904,7 +29663,8 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - not immutable_correctly_set tags: - CCE-83716-1 - CJIS-5.4.1.1 @@ -25938,7 +29698,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83721-1 - CJIS-5.4.1.1 @@ -25971,7 +29731,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 @@ -26003,7 +29763,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -26035,7 +29795,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -26069,7 +29829,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 @@ -26103,7 +29863,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83721-1 - CJIS-5.4.1.1 @@ -26136,7 +29896,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83721-1 @@ -26170,7 +29930,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86343-1 - NIST-800-171-3.1.8 @@ -26200,7 +29960,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86343-1 @@ -26229,7 +29989,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -26259,7 +30019,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -26291,7 +30051,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86343-1 @@ -26322,7 +30082,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86343-1 - NIST-800-171-3.1.8 @@ -26353,7 +30113,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86343-1 @@ -26380,7 +30140,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -26504,7 +30264,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83735-1 - CJIS-5.4.1.1 @@ -26626,7 +30386,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83735-1 @@ -26658,7 +30418,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -26787,7 +30547,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -26914,7 +30674,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83706-2 @@ -26949,7 +30709,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -26983,7 +30743,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27016,7 +30776,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27049,7 +30809,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27084,7 +30844,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27119,7 +30879,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -27153,7 +30913,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -27188,7 +30948,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -27222,7 +30982,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27255,7 +31015,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27288,7 +31048,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27323,7 +31083,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27358,7 +31118,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -27392,7 +31152,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -27427,7 +31187,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -27461,7 +31221,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27494,7 +31254,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27527,7 +31287,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27562,7 +31322,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27597,7 +31357,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -27631,7 +31391,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -27666,7 +31426,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -27700,7 +31460,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27733,7 +31493,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27766,7 +31526,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27801,7 +31561,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -27836,7 +31596,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -27870,7 +31630,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -27890,8 +31650,185 @@ - no_reboot_needed - restrict_strategy -- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network-scripts +- name: Record Events that Modify the System's Network Environment - /etc/hostname - Check if watch rule for /etc/hostname already exists in /etc/audit/rules.d/ + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/hostname\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_rules_networkconfig_modification_hostname_file | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86603-8 + - audit_rules_networkconfig_modification_hostname_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/hostname - Search /etc/audit/rules.d for other rules + with specified key audit_rules_networkconfig_modification_hostname_file + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_hostname_file$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_networkconfig_modification_hostname_file | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86603-8 + - audit_rules_networkconfig_modification_hostname_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/hostname - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_hostname_file.rules + as the recipient for the rule + ansible.builtin.set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification_hostname_file.rules + when: + - audit_rules_networkconfig_modification_hostname_file | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86603-8 + - audit_rules_networkconfig_modification_hostname_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/hostname - Use matched file as the recipient for + the rule + ansible.builtin.set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_networkconfig_modification_hostname_file | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86603-8 + - audit_rules_networkconfig_modification_hostname_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/hostname - Add watch rule for /etc/hostname in /etc/audit/rules.d/ + ansible.builtin.lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/hostname -p wa -k audit_rules_networkconfig_modification_hostname_file + create: true + mode: '0600' + when: + - audit_rules_networkconfig_modification_hostname_file | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86603-8 + - audit_rules_networkconfig_modification_hostname_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/hostname - Check if watch rule for /etc/hostname + already exists in /etc/audit/audit.rules + ansible.builtin.find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/hostname\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_networkconfig_modification_hostname_file | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86603-8 + - audit_rules_networkconfig_modification_hostname_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/hostname - Add watch rule for /etc/hostname in /etc/audit/audit.rules + ansible.builtin.lineinfile: + line: -w /etc/hostname -p wa -k audit_rules_networkconfig_modification_hostname_file + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0600' + when: + - audit_rules_networkconfig_modification_hostname_file | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-86603-8 + - audit_rules_networkconfig_modification_hostname_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Check if watch rule + for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ @@ -27905,7 +31842,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts @@ -27915,8 +31852,8 @@ - no_reboot_needed - restrict_strategy -- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified - key audit_rules_networkconfig_modification_network_scripts +- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Search /etc/audit/rules.d + for other rules with specified key audit_rules_networkconfig_modification_network_scripts ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_network_scripts$ @@ -27930,7 +31867,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86940-4 @@ -27941,7 +31878,7 @@ - no_reboot_needed - restrict_strategy -- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules +- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules as the recipient for the rule ansible.builtin.set_fact: all_files: @@ -27954,7 +31891,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27966,7 +31903,8 @@ - no_reboot_needed - restrict_strategy -- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Use matched file as + the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -27978,7 +31916,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -27990,8 +31928,8 @@ - no_reboot_needed - restrict_strategy -- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network-scripts in - /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Add watch rule for /etc/sysconfig/network-scripts + in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts @@ -28005,7 +31943,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86940-4 @@ -28016,8 +31954,8 @@ - no_reboot_needed - restrict_strategy -- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network-scripts - already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Check if watch rule + for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ @@ -28031,7 +31969,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts @@ -28041,8 +31979,8 @@ - no_reboot_needed - restrict_strategy -- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network-scripts in - /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Add watch rule for /etc/sysconfig/network-scripts + in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts state: present @@ -28057,7 +31995,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86940-4 @@ -28068,6 +32006,185 @@ - no_reboot_needed - restrict_strategy +- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Check if watch rule for /etc/NetworkManager + already exists in /etc/audit/rules.d/ + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/NetworkManager\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_rules_networkconfig_modification_networkmanager | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86481-9 + - audit_rules_networkconfig_modification_networkmanager + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Search /etc/audit/rules.d for + other rules with specified key audit_rules_networkconfig_modification_networkmanager + ansible.builtin.find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_networkmanager$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_networkconfig_modification_networkmanager | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86481-9 + - audit_rules_networkconfig_modification_networkmanager + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_networkmanager.rules + as the recipient for the rule + ansible.builtin.set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification_networkmanager.rules + when: + - audit_rules_networkconfig_modification_networkmanager | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86481-9 + - audit_rules_networkconfig_modification_networkmanager + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Use matched file as the recipient + for the rule + ansible.builtin.set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_networkconfig_modification_networkmanager | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86481-9 + - audit_rules_networkconfig_modification_networkmanager + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Add watch rule for /etc/NetworkManager + in /etc/audit/rules.d/ + ansible.builtin.lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/NetworkManager -p wa -k audit_rules_networkconfig_modification_networkmanager + create: true + mode: '0600' + when: + - audit_rules_networkconfig_modification_networkmanager | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86481-9 + - audit_rules_networkconfig_modification_networkmanager + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Check if watch rule for /etc/NetworkManager + already exists in /etc/audit/audit.rules + ansible.builtin.find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/NetworkManager\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_networkconfig_modification_networkmanager | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + tags: + - CCE-86481-9 + - audit_rules_networkconfig_modification_networkmanager + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Add watch rule for /etc/NetworkManager + in /etc/audit/audit.rules + ansible.builtin.lineinfile: + line: -w /etc/NetworkManager -p wa -k audit_rules_networkconfig_modification_networkmanager + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0600' + when: + - audit_rules_networkconfig_modification_networkmanager | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-86481-9 + - audit_rules_networkconfig_modification_networkmanager + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ ansible.builtin.find: @@ -28083,7 +32200,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86198-9 - NIST-800-53-AU-12(c) @@ -28113,7 +32230,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86198-9 @@ -28142,7 +32259,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -28172,7 +32289,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -28203,7 +32320,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86198-9 @@ -28234,7 +32351,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86198-9 - NIST-800-53-AU-12(c) @@ -28264,7 +32381,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86198-9 @@ -28295,7 +32412,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86202-9 - NIST-800-53-AU-12(c) @@ -28325,7 +32442,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86202-9 @@ -28354,7 +32471,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -28384,7 +32501,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -28415,7 +32532,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86202-9 @@ -28446,7 +32563,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86202-9 - NIST-800-53-AU-12(c) @@ -28476,7 +32593,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86202-9 @@ -28507,7 +32624,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86203-7 - NIST-800-53-AU-12(c) @@ -28537,7 +32654,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86203-7 @@ -28566,7 +32683,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -28596,7 +32713,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -28627,7 +32744,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86203-7 @@ -28658,7 +32775,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86203-7 - NIST-800-53-AU-12(c) @@ -28688,7 +32805,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86203-7 @@ -28717,7 +32834,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86368-8 - audit_rules_suid_auid_privilege_function @@ -28742,7 +32859,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86368-8 - audit_rules_suid_auid_privilege_function @@ -28766,7 +32883,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"auditd.service" in ansible_facts.services' - '"augenrules" in check_rules_scripts_result.stdout' register: augenrules_audit_rules_privilege_function_update_result @@ -28794,7 +32911,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - '"auditd.service" in ansible_facts.services' - '"auditctl" in check_rules_scripts_result.stdout' register: auditctl_audit_rules_privilege_function_update_result @@ -28818,7 +32935,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) - ansible_facts.services["auditd.service"].state == "running" tags: @@ -28844,7 +32961,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -28881,7 +32998,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83729-4 @@ -28918,7 +33035,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -28955,7 +33072,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -28991,7 +33108,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29027,7 +33144,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29065,7 +33182,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -29102,7 +33219,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -29139,7 +33256,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83729-4 @@ -29176,7 +33293,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -29213,7 +33330,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -29249,7 +33366,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29285,7 +33402,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29323,7 +33440,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -29362,7 +33479,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83722-9 - CJIS-5.4.1.1 @@ -29400,7 +33517,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 @@ -29437,7 +33554,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29474,7 +33591,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29513,7 +33630,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 @@ -29552,7 +33669,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83722-9 - CJIS-5.4.1.1 @@ -29590,7 +33707,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83722-9 @@ -29629,7 +33746,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83723-7 - CJIS-5.4.1.1 @@ -29667,7 +33784,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 @@ -29704,7 +33821,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29741,7 +33858,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29780,7 +33897,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 @@ -29819,7 +33936,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83723-7 - CJIS-5.4.1.1 @@ -29857,7 +33974,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83723-7 @@ -29895,7 +34012,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf @@ -29920,7 +34037,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86213-6 @@ -29944,7 +34061,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29969,7 +34086,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -29995,7 +34112,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86213-6 @@ -30021,7 +34138,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf @@ -30046,7 +34163,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86213-6 @@ -30073,7 +34190,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83712-0 - CJIS-5.4.1.1 @@ -30111,7 +34228,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 @@ -30148,7 +34265,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30186,7 +34303,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30226,7 +34343,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 @@ -30265,7 +34382,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83712-0 - CJIS-5.4.1.1 @@ -30304,7 +34421,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83712-0 @@ -30342,7 +34459,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf @@ -30367,7 +34484,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86212-8 @@ -30391,7 +34508,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30415,7 +34532,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30441,7 +34558,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86212-8 @@ -30467,7 +34584,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf @@ -30492,7 +34609,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86212-8 @@ -30518,7 +34635,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd @@ -30543,7 +34660,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86211-0 @@ -30567,7 +34684,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30591,7 +34708,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30617,7 +34734,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86211-0 @@ -30643,7 +34760,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd @@ -30668,7 +34785,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86211-0 @@ -30695,7 +34812,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83714-6 - CJIS-5.4.1.1 @@ -30733,7 +34850,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 @@ -30770,7 +34887,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30807,7 +34924,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -30846,7 +34963,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 @@ -30885,7 +35002,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83714-6 - CJIS-5.4.1.1 @@ -30923,7 +35040,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83714-6 @@ -30962,7 +35079,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83725-2 - CJIS-5.4.1.1 @@ -31000,7 +35117,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 @@ -31037,7 +35154,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -31074,7 +35191,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -31113,7 +35230,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 @@ -31152,7 +35269,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83725-2 - CJIS-5.4.1.1 @@ -31190,7 +35307,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83725-2 @@ -31227,7 +35344,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 @@ -31256,7 +35373,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86433-0 @@ -31285,7 +35402,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -31314,7 +35431,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -31345,7 +35462,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86433-0 @@ -31375,7 +35492,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 @@ -31405,7 +35522,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86433-0 @@ -31433,7 +35550,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 @@ -31459,7 +35576,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 @@ -31487,7 +35604,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 @@ -31513,7 +35630,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 @@ -31541,7 +35658,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 @@ -31564,7 +35681,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 @@ -31590,7 +35707,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 @@ -31618,7 +35735,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 @@ -31644,7 +35761,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 @@ -31672,7 +35789,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 @@ -31699,7 +35816,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 @@ -31727,7 +35844,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 @@ -31755,7 +35872,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 @@ -31783,7 +35900,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 @@ -31798,6 +35915,8 @@ - name: Get audit log files ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf failed_when: false + changed_when: false + check_mode: false register: log_file_exists when: - DISA_STIG_RHEL_09_653090 | bool @@ -31808,7 +35927,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83720-3 - CJIS-5.4.1.1 @@ -31830,6 +35949,8 @@ - name: Parse log file line ansible.builtin.command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf register: log_file_line + changed_when: false + check_mode: false when: - DISA_STIG_RHEL_09_653090 | bool - file_permissions_var_log_audit | bool @@ -31839,7 +35960,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - log_file_exists is not skipped and (log_file_exists.stdout | length > 0) tags: - CCE-83720-3 @@ -31871,7 +35992,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - (log_file_exists is skipped) or (log_file_exists is undefined) or (log_file_exists.stdout | length == 0) tags: - CCE-83720-3 @@ -31903,7 +36024,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - (log_file_exists is not skipped) and (log_file_line.stdout is defined) and (log_file_line.stdout | length > 0) tags: - CCE-83720-3 @@ -31937,7 +36058,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83720-3 - CJIS-5.4.1.1 @@ -31968,7 +36089,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -32099,7 +36220,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83830-0 @@ -32228,7 +36349,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -32261,7 +36382,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -32394,7 +36515,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83812-8 @@ -32525,7 +36646,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -32558,7 +36679,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -32688,7 +36809,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83832-6 - CJIS-5.4.1.1 @@ -32816,7 +36937,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83832-6 @@ -32848,7 +36969,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -32978,7 +37099,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83822-7 - CJIS-5.4.1.1 @@ -33106,7 +37227,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83822-7 @@ -33138,7 +37259,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -33270,7 +37391,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83829-2 - CJIS-5.4.1.1 @@ -33400,7 +37521,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83829-2 @@ -33432,7 +37553,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -33564,7 +37685,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83831-8 - CJIS-5.4.1.1 @@ -33694,7 +37815,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83831-8 @@ -33726,7 +37847,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -33966,7 +38087,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83821-9 - CJIS-5.4.1.1 @@ -34204,7 +38325,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83821-9 @@ -34236,7 +38357,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -34476,7 +38597,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83817-7 - CJIS-5.4.1.1 @@ -34714,7 +38835,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83817-7 @@ -34746,7 +38867,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -34879,7 +39000,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83833-4 @@ -35010,7 +39131,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -35043,7 +39164,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -35283,7 +39404,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83814-4 - CJIS-5.4.1.1 @@ -35521,7 +39642,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83814-4 @@ -35553,7 +39674,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -35793,7 +39914,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83808-6 - CJIS-5.4.1.1 @@ -36031,7 +40152,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83808-6 @@ -36063,7 +40184,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -36303,7 +40424,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83807-8 - CJIS-5.4.1.1 @@ -36541,7 +40662,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83807-8 @@ -36573,7 +40694,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -36813,7 +40934,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83811-0 - CJIS-5.4.1.1 @@ -37051,7 +41172,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83811-0 @@ -37174,7 +41295,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87685-4 - DISA-STIG-RHEL-09-654035 @@ -37288,7 +41409,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90482-1 - DISA-STIG-RHEL-09-654040 @@ -37402,7 +41523,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83748-4 - DISA-STIG-RHEL-09-654045 @@ -37430,7 +41551,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -37567,7 +41688,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83754-2 @@ -37702,7 +41823,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -37735,7 +41856,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -37871,7 +41992,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83756-7 - DISA-STIG-RHEL-09-654065 @@ -38005,7 +42126,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83756-7 @@ -38037,7 +42158,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -38174,7 +42295,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83757-5 @@ -38309,7 +42430,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -38342,7 +42463,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -38478,7 +42599,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83755-9 - DISA-STIG-RHEL-09-654065 @@ -38612,7 +42733,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83755-9 @@ -38644,7 +42765,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -38781,7 +42902,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83786-4 @@ -38916,7 +43037,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -39052,7 +43173,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83786-4 @@ -39187,7 +43308,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -39218,7 +43339,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -39354,7 +43475,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83800-3 - DISA-STIG-RHEL-09-654070 @@ -39488,7 +43609,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83800-3 @@ -39623,7 +43744,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83800-3 - DISA-STIG-RHEL-09-654070 @@ -39757,7 +43878,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83800-3 @@ -39787,7 +43908,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -39924,7 +44045,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83801-1 @@ -40059,7 +44180,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -40195,7 +44316,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83801-1 @@ -40330,7 +44451,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -40361,7 +44482,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -40497,7 +44618,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83794-8 - DISA-STIG-RHEL-09-654070 @@ -40631,7 +44752,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83794-8 @@ -40766,7 +44887,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83794-8 - DISA-STIG-RHEL-09-654070 @@ -40900,7 +45021,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83794-8 @@ -40930,7 +45051,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -41066,7 +45187,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83792-2 - DISA-STIG-RHEL-09-654070 @@ -41200,7 +45321,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83792-2 @@ -41335,7 +45456,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83792-2 - DISA-STIG-RHEL-09-654070 @@ -41469,7 +45590,7 @@ - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83792-2 @@ -41487,7 +45608,8 @@ - reboot_required - restrict_strategy -- name: Set architecture for audit finit_module tasks +- name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Set architecture for audit ['create_module'] + tasks ansible.builtin.set_fact: audit_arch: b64 when: @@ -41498,7 +45620,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -41511,17 +45633,23 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for finit_module for 32bit platform +- name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Perform remediation of Audit rules + for ['create_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - create_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of create_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -41542,8 +45670,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -41554,7 +45682,7 @@ ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S - |,)\w+)+)( (?:-k |-F key=)\w+) + |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -41563,7 +45691,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41572,11 +45700,16 @@ ansible.builtin.set_fact: syscalls: - create_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of create_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit - contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -41590,8 +45723,8 @@ - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k - |-F key=)\w+) + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -41600,7 +45733,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41613,7 +45746,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-88436-1 @@ -41624,17 +45757,23 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for finit_module for 64bit platform +- name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Perform remediation of Audit rules + for ['create_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - create_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of create_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -41655,8 +45794,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -41667,7 +45806,7 @@ ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S - |,)\w+)+)( (?:-k |-F key=)\w+) + |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -41676,7 +45815,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41685,11 +45824,16 @@ ansible.builtin.set_fact: syscalls: - create_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of create_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit - contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' @@ -41703,8 +45847,8 @@ - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k - |-F key=)\w+) + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F + auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present @@ -41713,7 +45857,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41726,7 +45870,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -41738,7 +45882,8 @@ - medium_severity - no_reboot_needed -- name: Set architecture for audit delete_module tasks +- name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Set architecture for audit ['delete_module'] + tasks ansible.builtin.set_fact: audit_arch: b64 when: @@ -41750,7 +45895,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -41769,13 +45914,19 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for delete_module for 32bit platform +- name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Perform remediation of Audit rules + for ['delete_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - delete_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of delete_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d @@ -41800,8 +45951,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -41821,7 +45972,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41830,7 +45981,12 @@ ansible.builtin.set_fact: syscalls: - delete_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of delete_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit @@ -41858,7 +46014,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41872,7 +46028,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83802-9 - DISA-STIG-RHEL-09-654075 @@ -41889,13 +46045,19 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for delete_module for 64bit platform +- name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Perform remediation of Audit rules + for ['delete_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - delete_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of delete_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d @@ -41920,8 +46082,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -41941,7 +46103,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41950,7 +46112,12 @@ ansible.builtin.set_fact: syscalls: - delete_module - syscall_grouping: [] + syscall_grouping: + - create_module + - delete_module + - finit_module + - init_module + - query_module - name: Check existence of delete_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit @@ -41978,7 +46145,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -41992,7 +46159,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83802-9 @@ -42010,7 +46177,8 @@ - medium_severity - no_reboot_needed -- name: Set architecture for audit finit_module tasks +- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Set architecture for audit + ['finit_module'] tasks ansible.builtin.set_fact: audit_arch: b64 when: @@ -42022,7 +46190,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -42041,15 +46209,19 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for finit_module for x86 platform +- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Perform remediation of + Audit rules for ['finit_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of finit_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d @@ -42074,8 +46246,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -42095,7 +46267,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42105,8 +46277,11 @@ syscalls: - finit_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of finit_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit @@ -42134,7 +46309,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42148,7 +46323,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83803-7 - DISA-STIG-RHEL-09-654080 @@ -42165,15 +46340,19 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for finit_module for x86_64 platform +- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Perform remediation of + Audit rules for ['finit_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of finit_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d @@ -42198,8 +46377,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -42219,7 +46398,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42229,8 +46408,11 @@ syscalls: - finit_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of finit_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit @@ -42258,7 +46440,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42272,7 +46454,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83803-7 @@ -42290,7 +46472,8 @@ - medium_severity - no_reboot_needed -- name: Set architecture for audit init_module tasks +- name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Set architecture for audit ['init_module'] + tasks ansible.builtin.set_fact: audit_arch: b64 when: @@ -42302,7 +46485,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -42321,15 +46504,19 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for init_module for 32bit platform +- name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Perform remediation of Audit rules for + ['init_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of init_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d @@ -42354,8 +46541,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -42375,7 +46562,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42385,8 +46572,11 @@ syscalls: - init_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of init_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit @@ -42414,7 +46604,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42428,7 +46618,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90835-0 - DISA-STIG-RHEL-09-654080 @@ -42445,15 +46635,19 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for init_module for 64bit platform +- name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Perform remediation of Audit rules for + ['init_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of init_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d @@ -42478,8 +46672,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -42499,7 +46693,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42509,8 +46703,11 @@ syscalls: - init_module syscall_grouping: - - init_module + - create_module + - delete_module - finit_module + - init_module + - query_module - name: Check existence of init_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit @@ -42538,7 +46735,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42552,7 +46749,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-90835-0 @@ -42570,7 +46767,8 @@ - medium_severity - no_reboot_needed -- name: Set architecture for audit query_module tasks +- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Set architecture for audit + ['query_module'] tasks ansible.builtin.set_fact: audit_arch: b64 when: @@ -42581,7 +46779,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" @@ -42594,13 +46792,17 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for query_module for x86 platform +- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Perform remediation of + Audit rules for ['query_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: + - create_module + - delete_module + - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/rules.d/ @@ -42627,8 +46829,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -42648,7 +46850,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42658,6 +46860,9 @@ syscalls: - query_module syscall_grouping: + - create_module + - delete_module + - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/audit.rules @@ -42687,7 +46892,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42700,7 +46905,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-88749-7 @@ -42711,13 +46916,17 @@ - medium_severity - no_reboot_needed -- name: Perform remediation of Audit rules for query_module for x86_64 platform +- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Perform remediation of + Audit rules for ['query_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: + - create_module + - delete_module + - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/rules.d/ @@ -42744,8 +46953,8 @@ - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/module-change.rules - ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/module-change.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules + ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list @@ -42765,7 +46974,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42775,6 +46984,9 @@ syscalls: - query_module syscall_grouping: + - create_module + - delete_module + - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/audit.rules @@ -42804,7 +47016,7 @@ - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=module-change + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present @@ -42817,7 +47029,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: @@ -42845,7 +47057,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 @@ -42881,7 +47093,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 @@ -42916,7 +47128,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -42951,7 +47163,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -42989,7 +47201,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 @@ -43026,7 +47238,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 @@ -43063,7 +47275,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83783-1 @@ -43100,7 +47312,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 @@ -43136,7 +47348,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 @@ -43171,7 +47383,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -43206,7 +47418,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -43243,7 +47455,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 @@ -43280,7 +47492,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 @@ -43316,7 +47528,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83785-6 @@ -43350,7 +47562,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83759-1 - CJIS-5.4.1.1 @@ -43384,7 +47596,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83759-1 - CJIS-5.4.1.1 @@ -43415,7 +47627,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - item is not skipped tags: - CCE-83759-1 @@ -43482,7 +47694,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - privileged_commands is defined tags: - CCE-83759-1 @@ -43605,7 +47817,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-90262-7 - DISA-STIG-RHEL-09-654105 @@ -43726,7 +47938,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-87212-7 - DISA-STIG-RHEL-09-654175 @@ -43748,7 +47960,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -43877,7 +48089,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83840-9 - CJIS-5.4.1.1 @@ -44003,7 +48215,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83840-9 @@ -44034,7 +48246,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -44157,7 +48369,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83837-5 - CJIS-5.4.1.1 @@ -44278,7 +48490,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83837-5 @@ -44309,7 +48521,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -44438,7 +48650,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83836-7 - CJIS-5.4.1.1 @@ -44565,7 +48777,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83836-7 @@ -44599,7 +48811,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83839-1 - CJIS-5.4.1.1 @@ -44632,7 +48844,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 @@ -44665,7 +48877,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -44698,7 +48910,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -44733,7 +48945,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 @@ -44767,7 +48979,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83839-1 - CJIS-5.4.1.1 @@ -44801,7 +49013,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83839-1 @@ -44836,7 +49048,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83690-8 - NIST-800-53-AU-5(1) @@ -44866,7 +49078,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83684-1 - NIST-800-53-AU-5(1) @@ -44897,7 +49109,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83698-1 - CJIS-5.4.1.1 @@ -44931,7 +49143,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83700-5 - CJIS-5.4.1.1 @@ -44967,7 +49179,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83683-3 - CJIS-5.4.1.1 @@ -44996,7 +49208,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83701-3 - CJIS-5.4.1.1 @@ -45029,7 +49241,7 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-83703-9 - CJIS-5.4.1.1 @@ -45060,7 +49272,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45081,7 +49293,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45103,7 +49315,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 @@ -45125,7 +49337,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45147,7 +49359,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 @@ -45169,7 +49381,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45191,7 +49403,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 @@ -45213,7 +49425,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45235,7 +49447,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 @@ -45257,7 +49469,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45279,7 +49491,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 @@ -45301,7 +49513,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45323,7 +49535,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 @@ -45345,7 +49557,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy @@ -45367,7 +49579,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 @@ -45388,7 +49600,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45409,7 +49621,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45431,7 +49643,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 @@ -45453,7 +49665,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45475,7 +49687,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 @@ -45497,7 +49709,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45519,7 +49731,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 @@ -45541,7 +49753,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45563,7 +49775,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 @@ -45585,7 +49797,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45607,7 +49819,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 @@ -45629,7 +49841,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45651,7 +49863,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 @@ -45673,7 +49885,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy @@ -45695,7 +49907,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 @@ -45717,7 +49929,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy @@ -45738,7 +49950,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 @@ -45760,7 +49972,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy @@ -45781,7 +49993,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 @@ -45803,7 +50015,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy @@ -45824,7 +50036,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 @@ -45846,7 +50058,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy @@ -45867,7 +50079,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 @@ -45889,7 +50101,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy @@ -45910,7 +50122,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 @@ -45932,7 +50144,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy @@ -45953,7 +50165,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 @@ -45975,7 +50187,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy @@ -45996,7 +50208,7 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"kernel" in ansible_facts.packages' + - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8