From d304328d722ae18a39ee39794258475fe4531237 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Mon, 6 Feb 2023 17:04:37 -0500 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 6091 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 4663 insertions(+), 1428 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 1253d70..aca86cc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -339,6 +339,52 @@ - medium_severity | bool - reboot_required | bool +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83549-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_gdm_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_gdm_removed | bool + +- name: Ensure gdm is removed + package: + name: gdm + state: absent + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_gdm_removed | bool + - '"gdm" in ansible_facts.packages' + tags: + - CCE-83549-6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_gdm_removed + - name: Gather the package facts package_facts: manager: auto @@ -690,6 +736,409 @@ - no_reboot_needed - unknown_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90257-7 + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - low_severity + - medium_disruption + - no_reboot_needed + - unknown_strategy + when: + - dconf_gnome_disable_autorun | bool + - low_complexity | bool + - low_severity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Disable GNOME3 Automounting - autorun-never + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/media-handling + option: autorun-never + value: 'true' + create: true + no_extra_spaces: true + when: + - dconf_gnome_disable_autorun | bool + - low_complexity | bool + - low_severity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90257-7 + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - low_severity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 Automounting - autorun-never + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/media-handling/autorun-never$ + line: /org/gnome/desktop/media-handling/autorun-never + create: true + when: + - dconf_gnome_disable_autorun | bool + - low_complexity | bool + - low_severity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90257-7 + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - low_severity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - dconf_gnome_disable_autorun | bool + - low_complexity | bool + - low_severity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90257-7 + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - low_severity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86510-5 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + when: + - dconf_gnome_screensaver_idle_delay | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Set GNOME3 Screensaver Inactivity Timeout + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/session + option: idle-delay + value: uint32 {{ inactivity_timeout_value }} + create: true + no_extra_spaces: true + when: + - dconf_gnome_screensaver_idle_delay | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86510-5 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - dconf_gnome_screensaver_idle_delay | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86510-5 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86954-5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + when: + - dconf_gnome_screensaver_lock_delay | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Set GNOME3 Screensaver Lock Delay After Activation Period + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: lock-delay + value: uint32 {{ var_screensaver_lock_delay }} + create: true + no_extra_spaces: true + when: + - dconf_gnome_screensaver_lock_delay | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86954-5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - dconf_gnome_screensaver_lock_delay | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86954-5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-87491-7 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_screensaver_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + when: + - dconf_gnome_screensaver_user_locks | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Prevent user modification of GNOME lock-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-delay$ + line: /org/gnome/desktop/screensaver/lock-delay + create: true + when: + - dconf_gnome_screensaver_user_locks | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-87491-7 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_screensaver_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - dconf_gnome_screensaver_user_locks | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-87491-7 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_screensaver_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-85971-0 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_session_idle_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + when: + - dconf_gnome_session_idle_user_locks | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + +- name: Prevent user modification of GNOME Session idle-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/session/idle-delay$ + line: /org/gnome/desktop/session/idle-delay + create: true + when: + - dconf_gnome_session_idle_user_locks | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-85971-0 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_session_idle_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - dconf_gnome_session_idle_user_locks | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-85971-0 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_session_idle_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + - name: Ensure sudo is installed package: name: sudo @@ -888,7 +1337,7 @@ find: path: /etc/sudoers.d patterns: '*' - contains: ^[\s]*Defaults\s.*\btimestamp_timeout=.* + contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.* register: sudoers_d_defaults_timestamp_timeout tags: - CCE-90029-0 @@ -910,7 +1359,7 @@ - name: Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files lineinfile: path: '{{ item.path }}' - regexp: ^[\s]*Defaults\s.*\btimestamp_timeout=.* + regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.* state: absent with_items: '{{ sudoers_d_defaults_timestamp_timeout.files }}' tags: @@ -933,7 +1382,7 @@ - name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers - regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$ + regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$ line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true @@ -1205,6 +1654,47 @@ - no_reboot_needed - unknown_strategy +- name: Test for existence /etc/issue + stat: + path: /etc/issue + register: file_exists + tags: + - CCE-86699-6 + - configure_strategy + - file_groupowner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupowner_etc_issue | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure group owner 0 on /etc/issue + file: + path: /etc/issue + group: '0' + when: + - configure_strategy | bool + - file_groupowner_etc_issue | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86699-6 + - configure_strategy + - file_groupowner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -1246,6 +1736,88 @@ - medium_severity - no_reboot_needed +- name: Test for existence /etc/motd + stat: + path: /etc/motd + register: file_exists + tags: + - CCE-86697-0 + - configure_strategy + - file_groupowner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupowner_etc_motd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure group owner 0 on /etc/motd + file: + path: /etc/motd + group: '0' + when: + - configure_strategy | bool + - file_groupowner_etc_motd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86697-0 + - configure_strategy + - file_groupowner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /etc/issue + stat: + path: /etc/issue + register: file_exists + tags: + - CCE-86700-2 + - configure_strategy + - file_owner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_owner_etc_issue | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /etc/issue + file: + path: /etc/issue + owner: '0' + when: + - configure_strategy | bool + - file_owner_etc_issue | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86700-2 + - configure_strategy + - file_owner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -1287,6 +1859,47 @@ - medium_severity - no_reboot_needed +- name: Test for existence /etc/motd + stat: + path: /etc/motd + register: file_exists + tags: + - CCE-86698-8 + - configure_strategy + - file_owner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_owner_etc_motd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /etc/motd + file: + path: /etc/motd + owner: '0' + when: + - configure_strategy | bool + - file_owner_etc_motd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86698-8 + - configure_strategy + - file_owner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/issue stat: path: /etc/issue @@ -1697,10 +2310,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: 'Limit Password Reuse: password-auth - Check if /etc/pam.d/password-auth file is present' +- name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' ansible.builtin.stat: - path: /etc/pam.d/password-auth - register: result_pam_file_present + path: /usr/bin/authselect + register: result_authselect_present when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool @@ -1723,16 +2336,108 @@ - medium_severity - no_reboot_needed -- name: 'Limit Password Reuse: password-auth - Check the proper remediation for the system' +- name: 'Limit Password Reuse: password-auth - Collect the available authselect features' + ansible.builtin.command: + cmd: authselect list-features minimal + register: result_authselect_available_features + changed_when: false + when: + - accounts_password_pam_pwhistory_remember_password_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - result_authselect_present.stat.exists + tags: + - CCE-86354-8 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_password_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so using authselect feature' + block: + - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' + ansible.builtin.command: + cmd: authselect check + register: result_authselect_check_cmd + changed_when: false + ignore_errors: true + - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' + ansible.builtin.assert: + that: + - result_authselect_check_cmd is success + fail_msg: + - authselect integrity check failed. Remediation aborted! + - This remediation could not be applied because an authselect profile was not selected or the selected profile is not + intact. + - It is not recommended to manually edit the PAM files when authselect tool is available. + - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. + success_msg: + - authselect integrity check passed + - name: 'Limit Password Reuse: password-auth - Get authselect current features' + ansible.builtin.shell: + cmd: authselect current | tail -n+3 | awk '{ print $2 }' + register: result_authselect_features + changed_when: false + when: + - result_authselect_check_cmd is success + - name: 'Limit Password Reuse: password-auth - Ensure "with-pwhistory" feature is enabled using authselect tool' + ansible.builtin.command: + cmd: authselect enable-feature with-pwhistory + register: result_authselect_enable_feature_cmd + when: + - result_authselect_check_cmd is success + - result_authselect_features.stdout is not search("with-pwhistory") + - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b + when: + - result_authselect_enable_feature_cmd is not skipped + - result_authselect_enable_feature_cmd is success + when: + - accounts_password_pam_pwhistory_remember_password_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - result_authselect_present.stat.exists + - result_authselect_available_features.stdout is search("with-pwhistory") + tags: + - CCE-86354-8 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_password_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so in appropriate PAM files' block: - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect' + - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: 'Limit Password Reuse: password-auth - Remediate using authselect' + - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' ansible.builtin.command: @@ -1879,10 +2584,382 @@ when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 + when: + - accounts_password_pam_pwhistory_remember_password_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) + or result_authselect_available_features is not defined + + ' + tags: + - CCE-86354-8 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_password_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: password-auth - Check the presence of /etc/security/pwhistory.conf file' + ansible.builtin.stat: + path: /etc/security/pwhistory.conf + register: result_pwhistory_conf_check + when: + - accounts_password_pam_pwhistory_remember_password_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-86354-8 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_password_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf + file' + block: + - name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember parameter in /etc/security/pwhistory.conf' + ansible.builtin.lineinfile: + path: /etc/security/pwhistory.conf + regexp: ^\s*remember\s*= + line: remember = {{ var_password_pam_remember }} + state: present + - name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember parameter is removed from PAM files' + block: + - name: 'Limit Password Reuse: password-auth - Check if /etc/pam.d/password-auth file is present' + ansible.builtin.stat: + path: /etc/pam.d/password-auth + register: result_pam_file_present + - name: 'Limit Password Reuse: password-auth - Check the proper remediation for the system' + block: + - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact' + ansible.builtin.set_fact: + pam_file_path: /etc/pam.d/password-auth + - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' + ansible.builtin.stat: + path: /usr/bin/authselect + register: result_authselect_present + - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present' + block: + - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' + ansible.builtin.command: + cmd: authselect check + register: result_authselect_check_cmd + changed_when: false + ignore_errors: true + - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' + ansible.builtin.assert: + that: + - result_authselect_check_cmd is success + fail_msg: + - authselect integrity check failed. Remediation aborted! + - This remediation could not be applied because an authselect profile was not selected or the selected profile + is not intact. + - It is not recommended to manually edit the PAM files when authselect tool is available. + - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile + is recommended. + success_msg: + - authselect integrity check passed + - name: 'Limit Password Reuse: password-auth - Get authselect current profile' + ansible.builtin.shell: + cmd: authselect current -r | awk '{ print $1 }' + register: result_authselect_profile + changed_when: false + when: + - result_authselect_check_cmd is success + - name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: '{{ result_authselect_profile.stdout }}' + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is match("custom/") + - name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: custom/hardening + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is not match("custom/") + - name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile' + ansible.builtin.shell: + cmd: authselect current | tail -n+3 | awk '{ print $2 }' + register: result_authselect_features + changed_when: false + when: + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created' + ansible.builtin.stat: + path: /etc/authselect/{{ authselect_custom_profile }} + register: result_authselect_custom_profile_present + changed_when: false + when: + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' + ansible.builtin.command: + cmd: authselect create-profile hardening -b {{ authselect_current_profile }} + when: + - result_authselect_check_cmd is success + - authselect_current_profile is not match("custom/") + - not result_authselect_custom_profile_present.stat.exists + - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=before-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected' + ansible.builtin.command: + cmd: authselect select {{ authselect_custom_profile }} + register: result_pam_authselect_select_profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile' + ansible.builtin.command: + cmd: authselect enable-feature {{ item }} + loop: '{{ result_authselect_features.stdout_lines }}' + register: result_pam_authselect_restore_features + when: + - result_authselect_profile is not skipped + - result_authselect_features is not skipped + - result_pam_authselect_select_profile is not skipped + - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=after-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - result_pam_authselect_restore_features is not skipped + - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect + profile' + ansible.builtin.set_fact: + pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - result_authselect_present.stat.exists + - name: 'Limit Password Reuse: password-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in + {{ pam_file_path }}' + ansible.builtin.replace: + dest: '{{ pam_file_path }}' + regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*) + replace: \1\2 + register: result_pam_option_removal + - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b + when: + - result_authselect_present.stat.exists + - result_pam_option_removal is changed + when: + - result_pam_file_present.stat.exists + when: + - accounts_password_pam_pwhistory_remember_password_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - result_pwhistory_conf_check.stat.exists + tags: + - CCE-86354-8 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_password_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured in PAM files' + block: + - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact' + ansible.builtin.set_fact: + pam_file_path: /etc/pam.d/password-auth + - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' + ansible.builtin.stat: + path: /usr/bin/authselect + register: result_authselect_present + - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present' + block: + - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' + ansible.builtin.command: + cmd: authselect check + register: result_authselect_check_cmd + changed_when: false + ignore_errors: true + - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' + ansible.builtin.assert: + that: + - result_authselect_check_cmd is success + fail_msg: + - authselect integrity check failed. Remediation aborted! + - This remediation could not be applied because an authselect profile was not selected or the selected profile is + not intact. + - It is not recommended to manually edit the PAM files when authselect tool is available. + - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. + success_msg: + - authselect integrity check passed + - name: 'Limit Password Reuse: password-auth - Get authselect current profile' + ansible.builtin.shell: + cmd: authselect current -r | awk '{ print $1 }' + register: result_authselect_profile + changed_when: false + when: + - result_authselect_check_cmd is success + - name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: '{{ result_authselect_profile.stdout }}' + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is match("custom/") + - name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: custom/hardening + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is not match("custom/") + - name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile' + ansible.builtin.shell: + cmd: authselect current | tail -n+3 | awk '{ print $2 }' + register: result_authselect_features + changed_when: false + when: + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created' + ansible.builtin.stat: + path: /etc/authselect/{{ authselect_custom_profile }} + register: result_authselect_custom_profile_present + changed_when: false + when: + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' + ansible.builtin.command: + cmd: authselect create-profile hardening -b {{ authselect_current_profile }} + when: + - result_authselect_check_cmd is success + - authselect_current_profile is not match("custom/") + - not result_authselect_custom_profile_present.stat.exists + - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=before-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected' + ansible.builtin.command: + cmd: authselect select {{ authselect_custom_profile }} + register: result_pam_authselect_select_profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile' + ansible.builtin.command: + cmd: authselect enable-feature {{ item }} + loop: '{{ result_authselect_features.stdout_lines }}' + register: result_pam_authselect_restore_features + when: + - result_authselect_profile is not skipped + - result_authselect_features is not skipped + - result_pam_authselect_select_profile is not skipped + - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=after-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - result_pam_authselect_restore_features is not skipped + - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile' + ansible.builtin.set_fact: + pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - result_authselect_present.stat.exists + - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line is present in {{ pam_file_path }}' + ansible.builtin.lineinfile: + path: '{{ pam_file_path }}' + regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.* + state: absent + check_mode: true + changed_when: false + register: result_pam_line_present + - name: 'Limit Password Reuse: password-auth - Include or update the PAM module line in {{ pam_file_path }}' + block: + - name: 'Limit Password Reuse: password-auth - Check if required PAM module line is present in {{ pam_file_path }} with + different control' + ansible.builtin.lineinfile: + path: '{{ pam_file_path }}' + regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s* + state: absent + check_mode: true + changed_when: false + register: result_pam_line_other_control_present + - name: 'Limit Password Reuse: password-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path + }}' + ansible.builtin.replace: + dest: '{{ pam_file_path }}' + regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*) + replace: \1requisite \2 + register: result_pam_module_edit + when: + - result_pam_line_other_control_present.found == 1 + - name: 'Limit Password Reuse: password-auth - Ensure the required PAM module line is included in {{ pam_file_path }}' + ansible.builtin.lineinfile: + dest: '{{ pam_file_path }}' + line: password requisite pam_pwhistory.so + register: result_pam_module_add + when: + - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 + - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b + when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is + defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) + + ' + when: + - result_pam_line_present.found is defined + - result_pam_line_present.found == 0 - name: 'Limit Password Reuse: password-auth - Check if the required PAM module option is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so\s*.*\sremember\b + regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b state: absent check_mode: true changed_when: false @@ -1892,7 +2969,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so.*) + regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so.*) line: \1 remember={{ var_password_pam_remember }} state: present register: result_pam_remember_add @@ -1903,7 +2980,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) + regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_remember_edit when: @@ -1923,7 +3000,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"pam" in ansible_facts.packages' - - result_pam_file_present.stat.exists + - not result_pwhistory_conf_check.stat.exists tags: - CCE-86354-8 - CJIS-5.6.2.1.1 @@ -1962,10 +3039,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: 'Limit Password Reuse: system-auth - Check if /etc/pam.d/system-auth file is present' +- name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' ansible.builtin.stat: - path: /etc/pam.d/system-auth - register: result_pam_file_present + path: /usr/bin/authselect + register: result_authselect_present when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool @@ -1988,16 +3065,108 @@ - medium_severity - no_reboot_needed -- name: 'Limit Password Reuse: system-auth - Check the proper remediation for the system' +- name: 'Limit Password Reuse: system-auth - Collect the available authselect features' + ansible.builtin.command: + cmd: authselect list-features minimal + register: result_authselect_available_features + changed_when: false + when: + - accounts_password_pam_pwhistory_remember_system_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - result_authselect_present.stat.exists + tags: + - CCE-89176-2 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_system_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so using authselect feature' + block: + - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' + ansible.builtin.command: + cmd: authselect check + register: result_authselect_check_cmd + changed_when: false + ignore_errors: true + - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' + ansible.builtin.assert: + that: + - result_authselect_check_cmd is success + fail_msg: + - authselect integrity check failed. Remediation aborted! + - This remediation could not be applied because an authselect profile was not selected or the selected profile is not + intact. + - It is not recommended to manually edit the PAM files when authselect tool is available. + - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. + success_msg: + - authselect integrity check passed + - name: 'Limit Password Reuse: system-auth - Get authselect current features' + ansible.builtin.shell: + cmd: authselect current | tail -n+3 | awk '{ print $2 }' + register: result_authselect_features + changed_when: false + when: + - result_authselect_check_cmd is success + - name: 'Limit Password Reuse: system-auth - Ensure "with-pwhistory" feature is enabled using authselect tool' + ansible.builtin.command: + cmd: authselect enable-feature with-pwhistory + register: result_authselect_enable_feature_cmd + when: + - result_authselect_check_cmd is success + - result_authselect_features.stdout is not search("with-pwhistory") + - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b + when: + - result_authselect_enable_feature_cmd is not skipped + - result_authselect_enable_feature_cmd is success + when: + - accounts_password_pam_pwhistory_remember_system_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - result_authselect_present.stat.exists + - result_authselect_available_features.stdout is search("with-pwhistory") + tags: + - CCE-89176-2 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_system_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so in appropriate PAM files' block: - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect' + - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: 'Limit Password Reuse: system-auth - Remediate using authselect' + - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' ansible.builtin.command: @@ -2144,10 +3313,380 @@ when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 + when: + - accounts_password_pam_pwhistory_remember_system_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) + or result_authselect_available_features is not defined + + ' + tags: + - CCE-89176-2 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_system_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: system-auth - Check the presence of /etc/security/pwhistory.conf file' + ansible.builtin.stat: + path: /etc/security/pwhistory.conf + register: result_pwhistory_conf_check + when: + - accounts_password_pam_pwhistory_remember_system_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-89176-2 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_system_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf file' + block: + - name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember parameter in /etc/security/pwhistory.conf' + ansible.builtin.lineinfile: + path: /etc/security/pwhistory.conf + regexp: ^\s*remember\s*= + line: remember = {{ var_password_pam_remember }} + state: present + - name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember parameter is removed from PAM files' + block: + - name: 'Limit Password Reuse: system-auth - Check if /etc/pam.d/system-auth file is present' + ansible.builtin.stat: + path: /etc/pam.d/system-auth + register: result_pam_file_present + - name: 'Limit Password Reuse: system-auth - Check the proper remediation for the system' + block: + - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact' + ansible.builtin.set_fact: + pam_file_path: /etc/pam.d/system-auth + - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' + ansible.builtin.stat: + path: /usr/bin/authselect + register: result_authselect_present + - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present' + block: + - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' + ansible.builtin.command: + cmd: authselect check + register: result_authselect_check_cmd + changed_when: false + ignore_errors: true + - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' + ansible.builtin.assert: + that: + - result_authselect_check_cmd is success + fail_msg: + - authselect integrity check failed. Remediation aborted! + - This remediation could not be applied because an authselect profile was not selected or the selected profile + is not intact. + - It is not recommended to manually edit the PAM files when authselect tool is available. + - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile + is recommended. + success_msg: + - authselect integrity check passed + - name: 'Limit Password Reuse: system-auth - Get authselect current profile' + ansible.builtin.shell: + cmd: authselect current -r | awk '{ print $1 }' + register: result_authselect_profile + changed_when: false + when: + - result_authselect_check_cmd is success + - name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: '{{ result_authselect_profile.stdout }}' + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is match("custom/") + - name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: custom/hardening + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is not match("custom/") + - name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile' + ansible.builtin.shell: + cmd: authselect current | tail -n+3 | awk '{ print $2 }' + register: result_authselect_features + changed_when: false + when: + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created' + ansible.builtin.stat: + path: /etc/authselect/{{ authselect_custom_profile }} + register: result_authselect_custom_profile_present + changed_when: false + when: + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' + ansible.builtin.command: + cmd: authselect create-profile hardening -b {{ authselect_current_profile }} + when: + - result_authselect_check_cmd is success + - authselect_current_profile is not match("custom/") + - not result_authselect_custom_profile_present.stat.exists + - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=before-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected' + ansible.builtin.command: + cmd: authselect select {{ authselect_custom_profile }} + register: result_pam_authselect_select_profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile' + ansible.builtin.command: + cmd: authselect enable-feature {{ item }} + loop: '{{ result_authselect_features.stdout_lines }}' + register: result_pam_authselect_restore_features + when: + - result_authselect_profile is not skipped + - result_authselect_features is not skipped + - result_pam_authselect_select_profile is not skipped + - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=after-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - result_pam_authselect_restore_features is not skipped + - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' + ansible.builtin.set_fact: + pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - result_authselect_present.stat.exists + - name: 'Limit Password Reuse: system-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in + {{ pam_file_path }}' + ansible.builtin.replace: + dest: '{{ pam_file_path }}' + regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*) + replace: \1\2 + register: result_pam_option_removal + - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b + when: + - result_authselect_present.stat.exists + - result_pam_option_removal is changed + when: + - result_pam_file_present.stat.exists + when: + - accounts_password_pam_pwhistory_remember_system_auth | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - result_pwhistory_conf_check.stat.exists + tags: + - CCE-89176-2 + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_pwhistory_remember_system_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured in PAM files' + block: + - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact' + ansible.builtin.set_fact: + pam_file_path: /etc/pam.d/system-auth + - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' + ansible.builtin.stat: + path: /usr/bin/authselect + register: result_authselect_present + - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present' + block: + - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' + ansible.builtin.command: + cmd: authselect check + register: result_authselect_check_cmd + changed_when: false + ignore_errors: true + - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' + ansible.builtin.assert: + that: + - result_authselect_check_cmd is success + fail_msg: + - authselect integrity check failed. Remediation aborted! + - This remediation could not be applied because an authselect profile was not selected or the selected profile is + not intact. + - It is not recommended to manually edit the PAM files when authselect tool is available. + - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. + success_msg: + - authselect integrity check passed + - name: 'Limit Password Reuse: system-auth - Get authselect current profile' + ansible.builtin.shell: + cmd: authselect current -r | awk '{ print $1 }' + register: result_authselect_profile + changed_when: false + when: + - result_authselect_check_cmd is success + - name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: '{{ result_authselect_profile.stdout }}' + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is match("custom/") + - name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact' + ansible.builtin.set_fact: + authselect_current_profile: '{{ result_authselect_profile.stdout }}' + authselect_custom_profile: custom/hardening + when: + - result_authselect_profile is not skipped + - result_authselect_profile.stdout is not match("custom/") + - name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile' + ansible.builtin.shell: + cmd: authselect current | tail -n+3 | awk '{ print $2 }' + register: result_authselect_features + changed_when: false + when: + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created' + ansible.builtin.stat: + path: /etc/authselect/{{ authselect_custom_profile }} + register: result_authselect_custom_profile_present + changed_when: false + when: + - authselect_current_profile is not match("custom/") + - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' + ansible.builtin.command: + cmd: authselect create-profile hardening -b {{ authselect_current_profile }} + when: + - result_authselect_check_cmd is success + - authselect_current_profile is not match("custom/") + - not result_authselect_custom_profile_present.stat.exists + - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=before-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected' + ansible.builtin.command: + cmd: authselect select {{ authselect_custom_profile }} + register: result_pam_authselect_select_profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - authselect_current_profile is not match("custom/") + - authselect_custom_profile is not match(authselect_current_profile) + - name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile' + ansible.builtin.command: + cmd: authselect enable-feature {{ item }} + loop: '{{ result_authselect_features.stdout_lines }}' + register: result_pam_authselect_restore_features + when: + - result_authselect_profile is not skipped + - result_authselect_features is not skipped + - result_pam_authselect_select_profile is not skipped + - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b --backup=after-hardening-custom-profile + when: + - result_authselect_check_cmd is success + - result_authselect_profile is not skipped + - result_pam_authselect_restore_features is not skipped + - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' + ansible.builtin.set_fact: + pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} + when: + - result_authselect_present.stat.exists + - name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is present in {{ pam_file_path }}' + ansible.builtin.lineinfile: + path: '{{ pam_file_path }}' + regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.* + state: absent + check_mode: true + changed_when: false + register: result_pam_line_present + - name: 'Limit Password Reuse: system-auth - Include or update the PAM module line in {{ pam_file_path }}' + block: + - name: 'Limit Password Reuse: system-auth - Check if required PAM module line is present in {{ pam_file_path }} with + different control' + ansible.builtin.lineinfile: + path: '{{ pam_file_path }}' + regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s* + state: absent + check_mode: true + changed_when: false + register: result_pam_line_other_control_present + - name: 'Limit Password Reuse: system-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path + }}' + ansible.builtin.replace: + dest: '{{ pam_file_path }}' + regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*) + replace: \1requisite \2 + register: result_pam_module_edit + when: + - result_pam_line_other_control_present.found == 1 + - name: 'Limit Password Reuse: system-auth - Ensure the required PAM module line is included in {{ pam_file_path }}' + ansible.builtin.lineinfile: + dest: '{{ pam_file_path }}' + line: password requisite pam_pwhistory.so + register: result_pam_module_add + when: + - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 + - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' + ansible.builtin.command: + cmd: authselect apply-changes -b + when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is + defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) + + ' + when: + - result_pam_line_present.found is defined + - result_pam_line_present.found == 0 - name: 'Limit Password Reuse: system-auth - Check if the required PAM module option is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so\s*.*\sremember\b + regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b state: absent check_mode: true changed_when: false @@ -2157,7 +3696,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so.*) + regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so.*) line: \1 remember={{ var_password_pam_remember }} state: present register: result_pam_remember_add @@ -2168,7 +3707,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) + regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_remember_edit when: @@ -2188,7 +3727,7 @@ - medium_severity | bool - no_reboot_needed | bool - '"pam" in ansible_facts.packages' - - result_pam_file_present.stat.exists + - not result_pwhistory_conf_check.stat.exists tags: - CCE-89176-2 - CJIS-5.6.2.1.1 @@ -2448,11 +3987,11 @@ - name: Lock Accounts After Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect + - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Lock Accounts After Failed Password Attempts - Remediate using authselect + - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: @@ -2580,11 +4119,11 @@ - name: Lock Accounts After Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect + - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Lock Accounts After Failed Password Attempts - Remediate using authselect + - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: @@ -3057,11 +4596,11 @@ - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect + - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Set Lockout Time for Failed Password Attempts - Remediate using authselect + - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: @@ -3190,11 +4729,11 @@ - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect + - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Set Lockout Time for Failed Password Attempts - Remediate using authselect + - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: @@ -3446,8 +4985,8 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Ensure PAM variable minclass is set accordingly - lineinfile: +- name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Ensure PAM variable minclass is set accordingly + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*minclass @@ -3498,8 +5037,8 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Ensure PAM variable minlen is set accordingly - lineinfile: +- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable minlen is set accordingly + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*minlen @@ -3611,12 +5150,12 @@ ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Check if system - relies on authselect + relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Remediate using - authselect + - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Ensure authselect + custom profile is used if authselect is present block: - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Check integrity of authselect current profile @@ -3800,12 +5339,12 @@ ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Check if system - relies on authselect + relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Remediate using - authselect + - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Ensure authselect + custom profile is used if authselect is present block: - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Check integrity of authselect current profile @@ -4012,11 +5551,12 @@ - name: Set PAM's Password Hashing Algorithm - password-auth - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - - name: Set PAM's Password Hashing Algorithm - password-auth - Check if system relies on authselect + - name: Set PAM's Password Hashing Algorithm - password-auth - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Set PAM's Password Hashing Algorithm - password-auth - Remediate using authselect + - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect custom profile is used if authselect is + present block: - name: Set PAM's Password Hashing Algorithm - password-auth - Check integrity of authselect current profile ansible.builtin.command: @@ -4277,11 +5817,11 @@ - name: Set PAM's Password Hashing Algorithm - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - - name: Set PAM's Password Hashing Algorithm - Check if system relies on authselect + - name: Set PAM's Password Hashing Algorithm - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - - name: Set PAM's Password Hashing Algorithm - Remediate using authselect + - name: Set PAM's Password Hashing Algorithm - Ensure authselect custom profile is used if authselect is present block: - name: Set PAM's Password Hashing Algorithm - Check integrity of authselect current profile ansible.builtin.command: @@ -4476,62 +6016,6 @@ - no_reboot_needed - set_password_hashing_algorithm_systemauth -- name: require emergency mode password - lineinfile: - create: true - dest: /usr/lib/systemd/system/emergency.service - regexp: ^#?ExecStart= - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - require_emergency_target_auth | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83592-6 - - NIST-800-171-3.1.1 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-3 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - require_emergency_target_auth - - restrict_strategy - -- name: require single user mode password - lineinfile: - create: true - dest: /usr/lib/systemd/system/rescue.service - regexp: ^#?ExecStart= - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - require_singleuser_auth | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83594-2 - - NIST-800-171-3.1.1 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-3 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - require_singleuser_auth - - restrict_strategy - - name: Gather the package facts package_facts: manager: auto @@ -4695,9 +6179,8 @@ - restrict_strategy - name: Collect users with not correct maximum time period between password changes - ansible.builtin.command: 'awk -F: ''$5 > {{ var_accounts_maximum_age_login_defs }} || $5 == "" {print $1}'' /etc/shadow - - ' + ansible.builtin.command: + cmd: awk -F':' '(/^[^:]+:[^!*]/ && ($5 > {{ var_accounts_maximum_age_login_defs }} || $5 == "")) {print $1}' /etc/shadow register: user_names tags: - CCE-86031-2 @@ -4867,15 +6350,12 @@ - restrict_strategy | bool - use_pam_wheel_for_su | bool -- name: Check for duplicate values - lineinfile: - path: /etc/profile.d/tmout.sh - create: false - regexp: TMOUT= - state: absent - check_mode: true - changed_when: false - register: dupes +- name: Correct any occurrence of TMOUT in /etc/profile + replace: + path: /etc/profile + regexp: ^[^#].*TMOUT=.* + replace: declare -xr TMOUT={{ var_accounts_tmout }} + register: profile_replaced when: - accounts_tmout | bool - low_complexity | bool @@ -4899,37 +6379,7 @@ - no_reboot_needed - restrict_strategy -- name: Deduplicate values from /etc/profile.d/tmout.sh - lineinfile: - path: /etc/profile.d/tmout.sh - create: false - regexp: TMOUT= - state: absent - when: - - accounts_tmout | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - dupes.found is defined and dupes.found > 1 - tags: - - CCE-83633-8 - - NIST-800-171-3.1.11 - - NIST-800-53-AC-12 - - NIST-800-53-AC-2(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-10 - - PCI-DSS-Req-8.6.1 - - accounts_tmout - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Insert correct line into /etc/profile.d/tmout.sh +- name: Set Interactive Session Timeout lineinfile: path: /etc/profile.d/tmout.sh create: true @@ -5761,8 +7211,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83716-1 - CJIS-5.4.1.1 @@ -5791,8 +7241,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83716-1 - CJIS-5.4.1.1 @@ -5824,8 +7274,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83716-1 - CJIS-5.4.1.1 @@ -5879,8 +7329,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83721-1 - CJIS-5.4.1.1 @@ -5909,8 +7359,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 @@ -5938,8 +7388,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -5968,8 +7418,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -6000,8 +7450,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 @@ -6031,8 +7481,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83721-1 - CJIS-5.4.1.1 @@ -6062,8 +7512,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83721-1 @@ -6116,8 +7566,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -6232,8 +7682,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83735-1 - CJIS-5.4.1.1 @@ -6346,8 +7796,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83735-1 @@ -6401,8 +7851,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -6523,8 +7973,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -6643,8 +8093,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83706-2 @@ -6675,8 +8125,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -6706,8 +8156,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -6736,8 +8186,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -6767,8 +8217,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -6800,8 +8250,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -6832,8 +8282,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -6864,8 +8314,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -6896,8 +8346,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -6927,8 +8377,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -6957,8 +8407,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -6988,8 +8438,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7021,8 +8471,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -7053,8 +8503,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -7085,8 +8535,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -7117,8 +8567,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -7148,8 +8598,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -7178,8 +8628,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7209,8 +8659,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7242,8 +8692,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -7274,8 +8724,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -7306,8 +8756,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -7338,8 +8788,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -7369,8 +8819,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -7399,8 +8849,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7430,8 +8880,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7463,8 +8913,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 @@ -7495,8 +8945,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83706-2 - CJIS-5.4.1.1 @@ -7527,8 +8977,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 @@ -7584,8 +9034,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83713-8 - CJIS-5.4.1.1 @@ -7614,8 +9064,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83713-8 @@ -7643,8 +9093,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7673,8 +9123,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7705,8 +9155,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83713-8 @@ -7736,8 +9186,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83713-8 - CJIS-5.4.1.1 @@ -7767,8 +9217,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83713-8 @@ -7798,8 +9248,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83713-8 - CJIS-5.4.1.1 @@ -7828,8 +9278,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83713-8 @@ -7857,8 +9307,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7887,8 +9337,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -7919,8 +9369,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83713-8 @@ -7950,8 +9400,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83713-8 - CJIS-5.4.1.1 @@ -7981,8 +9431,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83713-8 @@ -8012,8 +9462,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83713-8 - CJIS-5.4.1.1 @@ -8042,8 +9492,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83713-8 @@ -8071,8 +9521,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8101,8 +9551,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8133,8 +9583,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83713-8 @@ -8164,8 +9614,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83713-8 - CJIS-5.4.1.1 @@ -8195,8 +9645,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83713-8 @@ -8213,6 +9663,209 @@ - reboot_required - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86402-5 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Service facts + service_facts: null + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86402-5 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check the rules script being used + command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service + register: check_rules_scripts_result + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86402-5 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set suid_audit_rules fact + set_fact: + suid_audit_rules: + - -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid + - -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid + - -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid + - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86402-5 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions + lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: '{{ item }}' + create: true + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"augenrules" in check_rules_scripts_result.stdout' + register: augenrules_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' + tags: + - CCE-86402-5 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Update Update /etc/audit/audit.rules to audit privileged functions + lineinfile: + path: /etc/audit/audit.rules + line: '{{ item }}' + create: true + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"auditctl" in check_rules_scripts_result.stdout' + register: auditctl_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' + tags: + - CCE-86402-5 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Restart Auditd + command: /usr/sbin/service auditd restart + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) + - ansible_facts.services["auditd.service"].state == "running" + tags: + - CCE-86402-5 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Gather the package facts package_facts: manager: auto @@ -8225,6 +9878,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8254,8 +9908,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -8265,6 +9919,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8287,8 +9942,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -8299,6 +9954,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8319,8 +9975,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8332,6 +9988,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8352,8 +10009,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8365,6 +10022,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8387,8 +10045,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -8399,6 +10057,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8421,8 +10080,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -8432,6 +10091,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8455,8 +10115,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83729-4 @@ -8467,6 +10127,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8489,8 +10150,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -8500,6 +10161,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8522,8 +10184,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -8534,6 +10196,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8554,8 +10217,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8567,6 +10230,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8587,8 +10251,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8600,6 +10264,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8622,8 +10287,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 @@ -8634,6 +10299,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8656,8 +10322,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83729-4 - CJIS-5.4.1.1 @@ -8667,6 +10333,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8690,8 +10357,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83729-4 @@ -8702,6 +10369,7 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - audit_rules_sysadmin_actions @@ -8751,8 +10419,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83722-9 - CJIS-5.4.1.1 @@ -8783,8 +10451,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 @@ -8814,8 +10482,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8846,8 +10514,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -8880,8 +10548,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 @@ -8913,8 +10581,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83722-9 - CJIS-5.4.1.1 @@ -8946,8 +10614,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83722-9 @@ -9006,8 +10674,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83723-7 - CJIS-5.4.1.1 @@ -9038,8 +10706,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 @@ -9069,8 +10737,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9101,8 +10769,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9135,8 +10803,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 @@ -9168,8 +10836,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83723-7 - CJIS-5.4.1.1 @@ -9201,8 +10869,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83723-7 @@ -9261,8 +10929,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83712-0 - CJIS-5.4.1.1 @@ -9293,8 +10961,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 @@ -9324,8 +10992,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9356,8 +11024,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9390,8 +11058,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 @@ -9423,8 +11091,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83712-0 - CJIS-5.4.1.1 @@ -9456,8 +11124,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83712-0 @@ -9516,8 +11184,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83714-6 - CJIS-5.4.1.1 @@ -9548,8 +11216,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 @@ -9579,8 +11247,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9611,8 +11279,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9645,8 +11313,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 @@ -9678,8 +11346,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83714-6 - CJIS-5.4.1.1 @@ -9711,8 +11379,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83714-6 @@ -9771,8 +11439,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83725-2 - CJIS-5.4.1.1 @@ -9803,8 +11471,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 @@ -9834,8 +11502,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9866,8 +11534,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -9900,8 +11568,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 @@ -9933,8 +11601,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83725-2 - CJIS-5.4.1.1 @@ -9966,8 +11634,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83725-2 @@ -9986,6 +11654,597 @@ - reboot_required - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + +- name: Check if watch rule for /var/log/sudo.log already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key logins + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)logins$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/logins.rules + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/log/sudo.log in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/log/sudo.log -p wa -k logins + create: true + mode: '0640' + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /var/log/sudo.log already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/log/sudo.log in /etc/audit/audit.rules + lineinfile: + line: -w /var/log/sudo.log -p wa -k logins + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0640' + when: + - audit_sudo_log_events | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-86433-0 + - audit_sudo_log_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86446-2 + - configure_strategy + - file_groupownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$ + command: find -H /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex "^audit(\.rules|d\.conf)$" + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_groupownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86446-2 + - configure_strategy + - file_groupownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$ + file: + path: '{{ item }}' + group: '0' + state: file + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_groupownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86446-2 + - configure_strategy + - file_groupownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ + command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex "^.*\.rules$" + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_groupownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86446-2 + - configure_strategy + - file_groupownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ + file: + path: '{{ item }}' + group: '0' + state: file + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_groupownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86446-2 + - configure_strategy + - file_groupownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86445-4 + - configure_strategy + - file_ownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$ + command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex "^audit(\.rules|d\.conf)$" + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_ownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86445-4 + - configure_strategy + - file_ownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$ + file: + path: '{{ item }}' + owner: '0' + state: file + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_ownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86445-4 + - configure_strategy + - file_ownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ + command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.rules$" + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_ownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86445-4 + - configure_strategy + - file_ownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ + file: + path: '{{ item }}' + owner: '0' + state: file + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_ownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86445-4 + - configure_strategy + - file_ownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83720-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-AU-9(4) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5 + - file_permissions_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - file_permissions_var_log_audit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Get audit log files + command: grep -iw ^log_file /etc/audit/auditd.conf + failed_when: false + register: log_file_exists + when: + - file_permissions_var_log_audit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83720-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-AU-9(4) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5 + - file_permissions_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Parse log file line + command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf + register: log_file_line + when: + - file_permissions_var_log_audit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (log_file_exists.stdout | length > 0) + tags: + - CCE-83720-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-AU-9(4) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5 + - file_permissions_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set default log_file if not set + set_fact: + log_file: /var/log/audit/audit.log + when: + - file_permissions_var_log_audit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (log_file_exists is undefined) or (log_file_exists.stdout | length == 0) + tags: + - CCE-83720-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-AU-9(4) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5 + - file_permissions_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set log_file from log_file_line if not set already + set_fact: + log_file: '{{ log_file_line.stdout | trim }}' + when: + - file_permissions_var_log_audit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (log_file_line.stdout is defined) and (log_file_line.stdout | length > 0) + tags: + - CCE-83720-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-AU-9(4) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5 + - file_permissions_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Apply mode to log file + file: + path: '{{ log_file }}' + mode: 384 + failed_when: false + when: + - file_permissions_var_log_audit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83720-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-AU-9(4) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5 + - file_permissions_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Gather the package facts package_facts: manager: auto @@ -10021,8 +12280,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -10142,8 +12401,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83830-0 - CJIS-5.4.1.1 @@ -10261,8 +12520,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83830-0 @@ -10314,8 +12573,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -10437,8 +12696,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83812-8 - CJIS-5.4.1.1 @@ -10558,8 +12817,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83812-8 @@ -10611,8 +12870,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -10732,8 +12991,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83832-6 - CJIS-5.4.1.1 @@ -10851,8 +13110,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83832-6 @@ -10904,8 +13163,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -11025,8 +13284,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83822-7 - CJIS-5.4.1.1 @@ -11144,8 +13403,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83822-7 @@ -11197,8 +13456,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -11320,8 +13579,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83829-2 - CJIS-5.4.1.1 @@ -11441,8 +13700,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83829-2 @@ -11494,8 +13753,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -11617,8 +13876,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83831-8 - CJIS-5.4.1.1 @@ -11738,8 +13997,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83831-8 @@ -11791,8 +14050,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -12017,8 +14276,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83821-9 - CJIS-5.4.1.1 @@ -12241,8 +14500,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83821-9 @@ -12294,8 +14553,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -12520,8 +14779,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83817-7 - CJIS-5.4.1.1 @@ -12744,8 +15003,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83817-7 @@ -12797,8 +15056,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -12920,8 +15179,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83833-4 - CJIS-5.4.1.1 @@ -13041,8 +15300,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83833-4 @@ -13094,8 +15353,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -13320,8 +15579,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83814-4 - CJIS-5.4.1.1 @@ -13544,8 +15803,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83814-4 @@ -13597,8 +15856,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -13823,8 +16082,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83808-6 - CJIS-5.4.1.1 @@ -14047,8 +16306,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83808-6 @@ -14100,8 +16359,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -14326,8 +16585,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83807-8 - CJIS-5.4.1.1 @@ -14550,8 +16809,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83807-8 @@ -14603,8 +16862,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -14829,8 +17088,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83811-0 - CJIS-5.4.1.1 @@ -15053,8 +17312,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83811-0 @@ -15071,6 +17330,394 @@ - reboot_required - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-87685-4 + - audit_rules_execution_chacl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - audit_rules_execution_chacl | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Perform remediation of Audit rules for /usr/bin/chacl + block: + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + when: found_paths | length >= 1 + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( + -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - audit_rules_execution_chacl | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-87685-4 + - audit_rules_execution_chacl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-90482-1 + - audit_rules_execution_setfacl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - audit_rules_execution_setfacl | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Perform remediation of Audit rules for /usr/bin/setfacl + block: + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + when: found_paths | length >= 1 + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( + -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - audit_rules_execution_setfacl | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90482-1 + - audit_rules_execution_setfacl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83748-4 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_chcon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - audit_rules_execution_chcon | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Perform remediation of Audit rules for /usr/bin/chcon + block: + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + when: found_paths | length >= 1 + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( + -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - audit_rules_execution_chcon | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83748-4 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_chcon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Gather the package facts package_facts: manager: auto @@ -15105,8 +17752,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -15229,8 +17876,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83754-2 - NIST-800-171-3.1.7 @@ -15351,8 +17998,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83754-2 @@ -15402,8 +18049,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -15526,8 +18173,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83756-7 - NIST-800-171-3.1.7 @@ -15648,8 +18295,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83756-7 @@ -15699,8 +18346,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -15823,8 +18470,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83757-5 - NIST-800-171-3.1.7 @@ -15945,8 +18592,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83757-5 @@ -15996,8 +18643,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -16120,8 +18767,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83755-9 - NIST-800-171-3.1.7 @@ -16242,8 +18889,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83755-9 @@ -16294,8 +18941,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -16423,8 +19070,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83786-4 - NIST-800-171-3.1.7 @@ -16550,8 +19197,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83786-4 @@ -16678,8 +19325,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83786-4 - NIST-800-171-3.1.7 @@ -16805,8 +19452,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83786-4 @@ -16858,8 +19505,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -16987,8 +19634,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83800-3 - NIST-800-171-3.1.7 @@ -17114,8 +19761,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83800-3 @@ -17242,8 +19889,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83800-3 - NIST-800-171-3.1.7 @@ -17369,8 +20016,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83800-3 @@ -17422,8 +20069,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -17551,8 +20198,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83801-1 - NIST-800-171-3.1.7 @@ -17678,8 +20325,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83801-1 @@ -17806,8 +20453,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83801-1 - NIST-800-171-3.1.7 @@ -17933,8 +20580,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83801-1 @@ -17986,8 +20633,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -18115,8 +20762,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83794-8 - NIST-800-171-3.1.7 @@ -18242,8 +20889,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83794-8 @@ -18370,8 +21017,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83794-8 - NIST-800-171-3.1.7 @@ -18497,8 +21144,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83794-8 @@ -18550,8 +21197,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -18679,8 +21326,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83792-2 - NIST-800-171-3.1.7 @@ -18806,8 +21453,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83792-2 @@ -18934,8 +21581,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83792-2 - NIST-800-171-3.1.7 @@ -19061,8 +21708,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83792-2 @@ -19114,8 +21761,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -19229,8 +21876,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83802-9 - NIST-800-171-3.1.7 @@ -19342,8 +21989,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83802-9 @@ -19395,8 +22042,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -19514,8 +22161,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90835-0 - NIST-800-171-3.1.7 @@ -19631,8 +22278,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-90835-0 @@ -19687,8 +22334,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83783-1 - NIST-800-171-3.1.7 @@ -19717,8 +22364,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 @@ -19746,8 +22393,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -19776,8 +22423,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -19808,8 +22455,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 @@ -19839,8 +22486,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83783-1 - NIST-800-171-3.1.7 @@ -19870,8 +22517,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83783-1 @@ -19926,8 +22573,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83785-6 - NIST-800-171-3.1.7 @@ -19956,8 +22603,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 @@ -19985,8 +22632,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -20015,8 +22662,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -20047,8 +22694,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 @@ -20078,8 +22725,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83785-6 - NIST-800-171-3.1.7 @@ -20109,8 +22756,8 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83785-6 @@ -20127,6 +22774,132 @@ - reboot_required - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-87212-7 + - audit_rules_privileged_commands_usermod + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - audit_rules_privileged_commands_usermod | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Perform remediation of Audit rules for /usr/sbin/usermod + block: + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + when: found_paths | length >= 1 + - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules + set_fact: audit_file="/etc/audit/rules.d/privileged.rules" + when: found_paths | length == 0 + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( + -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls + set_fact: + syscalls: [] + syscall_grouping: [] + - name: Check existence of in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 + -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod + -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - audit_rules_privileged_commands_usermod | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-87212-7 + - audit_rules_privileged_commands_usermod + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Gather the package facts package_facts: manager: auto @@ -20163,8 +22936,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -20285,8 +23058,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83840-9 - CJIS-5.4.1.1 @@ -20404,8 +23177,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83840-9 @@ -20459,8 +23232,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -20575,8 +23348,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83837-5 - CJIS-5.4.1.1 @@ -20689,8 +23462,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - audit_arch == "b64" tags: - CCE-83837-5 @@ -20708,6 +23481,303 @@ - no_reboot_needed - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83836-7 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - audit_rules_time_settimeofday | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b64 + when: + - audit_rules_time_settimeofday | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture + == "s390x" or ansible_architecture == "x86_64" + tags: + - CCE-83836-7 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for settimeofday for 32bit platform + block: + - name: Declare list of syscalls + set_fact: + syscalls: + - settimeofday + syscall_grouping: + - adjtimex + - settimeofday + - stime + - name: Check existence of settimeofday in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + when: found_paths | length >= 1 + - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules + set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + when: found_paths | length == 0 + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S + |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls + set_fact: + syscalls: + - settimeofday + syscall_grouping: + - adjtimex + - settimeofday + - stime + - name: Check existence of settimeofday in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k + |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - audit_rules_time_settimeofday | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83836-7 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for settimeofday for 64bit platform + block: + - name: Declare list of syscalls + set_fact: + syscalls: + - settimeofday + syscall_grouping: + - adjtimex + - settimeofday + - stime + - name: Check existence of settimeofday in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: '*.rules' + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Reset syscalls found per file + set_fact: + syscalls_per_file: {} + found_paths_dict: {} + - name: Declare syscalls found per file + set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, + []) } ) }}" + loop: '{{ find_command.results | selectattr(''matched'') | list }}' + - name: Declare files where syscalls were found + set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" + - name: Count occurrences of syscalls in paths + set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" + loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' + - name: Get path with most syscalls + set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" + when: found_paths | length >= 1 + - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules + set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" + when: found_paths | length == 0 + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S + |,)\w+)+)( (?:-k |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + - name: Declare list of syscalls + set_fact: + syscalls: + - settimeofday + syscall_grouping: + - adjtimex + - settimeofday + - stime + - name: Check existence of settimeofday in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ + patterns: audit.rules + register: find_command + loop: '{{ (syscall_grouping + syscalls) | unique }}' + - name: Set path to /etc/audit/audit.rules + set_fact: audit_file="/etc/audit/audit.rules" + - name: Declare found syscalls + set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" + - name: Declare missing syscalls + set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" + - name: Replace the audit rule in {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k + |-F key=)\w+) + line: \1\2\3{{ missing_syscalls | join("\3") }}\4 + backrefs: true + state: present + when: syscalls_found | length > 0 and missing_syscalls | length > 0 + - name: Add the audit rule to {{ audit_file }} + lineinfile: + path: '{{ audit_file }}' + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules + create: true + mode: o-rwx + state: present + when: syscalls_found | length == 0 + when: + - audit_rules_time_settimeofday | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CCE-83836-7 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Gather the package facts package_facts: manager: auto @@ -20836,8 +23906,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83835-9 - CJIS-5.4.1.1 @@ -20893,8 +23963,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83839-1 - CJIS-5.4.1.1 @@ -20924,8 +23994,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 @@ -20954,8 +24024,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -20985,8 +24055,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: @@ -21018,8 +24088,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 @@ -21050,8 +24120,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83839-1 - CJIS-5.4.1.1 @@ -21082,8 +24152,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83839-1 @@ -21140,8 +24210,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83698-1 - CJIS-5.4.1.1 @@ -21199,8 +24269,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83700-5 - CJIS-5.4.1.1 @@ -21255,8 +24325,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83683-3 - CJIS-5.4.1.1 @@ -21310,8 +24380,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83701-3 - CJIS-5.4.1.1 @@ -21369,8 +24439,8 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83703-9 - CJIS-5.4.1.1 @@ -21423,8 +24493,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83848-2 @@ -21451,8 +24521,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - file_exists.stat is defined and file_exists.stat.exists tags: @@ -21504,8 +24574,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86010-6 @@ -21532,8 +24602,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - file_exists.stat is defined and file_exists.stat.exists tags: @@ -21585,8 +24655,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83845-8 @@ -21613,8 +24683,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - file_exists.stat is defined and file_exists.stat.exists tags: @@ -21666,8 +24736,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86016-3 @@ -21694,8 +24764,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - file_exists.stat is defined and file_exists.stat.exists tags: @@ -21745,8 +24815,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83846-6 @@ -21771,8 +24841,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - file_exists.stat is defined and file_exists.stat.exists tags: @@ -21820,8 +24890,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86025-4 @@ -21846,8 +24916,8 @@ - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"grub2-common" in ansible_facts.packages' - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - file_exists.stat is defined and file_exists.stat.exists tags: @@ -21862,318 +24932,6 @@ - medium_severity - no_reboot_needed -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86013-0 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - configure_strategy - - file_groupowner_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_groupowner_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Test for existence /boot/grub2/user.cfg - stat: - path: /boot/grub2/user.cfg - register: file_exists - when: - - configure_strategy | bool - - file_groupowner_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-86013-0 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - configure_strategy - - file_groupowner_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure group owner 0 on /boot/grub2/user.cfg - file: - path: /boot/grub2/user.cfg - group: '0' - when: - - configure_strategy | bool - - file_groupowner_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - file_exists.stat is defined and file_exists.stat.exists - tags: - - CCE-86013-0 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - configure_strategy - - file_groupowner_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86022-1 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - configure_strategy - - file_owner_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_owner_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Test for existence /boot/grub2/user.cfg - stat: - path: /boot/grub2/user.cfg - register: file_exists - when: - - configure_strategy | bool - - file_owner_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-86022-1 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - configure_strategy - - file_owner_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure owner 0 on /boot/grub2/user.cfg - file: - path: /boot/grub2/user.cfg - owner: '0' - when: - - configure_strategy | bool - - file_owner_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - file_exists.stat is defined and file_exists.stat.exists - tags: - - CCE-86022-1 - - CJIS-5.5.2.2 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-7.1 - - configure_strategy - - file_owner_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-85925-6 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_permissions_efi_grub2_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_efi_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Test for existence /boot/grub2/grub.cfg - stat: - path: /boot/grub2/grub.cfg - register: file_exists - when: - - configure_strategy | bool - - file_permissions_efi_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-85925-6 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_permissions_efi_grub2_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure permission u-s,g-xwrs,o-xwrt on /boot/grub2/grub.cfg - file: - path: /boot/grub2/grub.cfg - mode: u-s,g-xwrs,o-xwrt - when: - - configure_strategy | bool - - file_permissions_efi_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - file_exists.stat is defined and file_exists.stat.exists - tags: - - CCE-85925-6 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_permissions_efi_grub2_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-86029-6 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_permissions_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_permissions_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Test for existence /boot/grub2/user.cfg - stat: - path: /boot/grub2/user.cfg - register: file_exists - when: - - configure_strategy | bool - - file_permissions_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-86029-6 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_permissions_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/user.cfg - file: - path: /boot/grub2/user.cfg - mode: u-xs,g-xwrs,o-xwrt - when: - - configure_strategy | bool - - file_permissions_efi_user_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list' - - '"grub2-common" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - file_exists.stat is defined and file_exists.stat.exists - tags: - - CCE-86029-6 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - configure_strategy - - file_permissions_efi_user_cfg - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - name: Ensure rsyslog is installed package: name: rsyslog @@ -22587,28 +25345,6 @@ - no_reboot_needed - restrict_strategy -- name: Ensure firewalld is installed - package: - name: firewalld - state: present - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_firewalld_installed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-84021-5 - - NIST-800-53-CM-6(a) - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_firewalld_installed - - name: Enable service firewalld block: - name: Gather the package facts @@ -24718,120 +27454,76 @@ - reboot_required - sysctl_net_ipv4_ip_forward -- name: Ensure kernel module 'dccp' is disabled +- name: Ensure nftables is installed + package: + name: nftables + state: present + tags: + - CCE-86378-7 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_nftables_installed + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_nftables_installed | bool + +- name: Ensure kernel module 'tipc' is disabled lineinfile: create: true - dest: /etc/modprobe.d/dccp.conf - regexp: dccp - line: install dccp /bin/true + dest: /etc/modprobe.d/tipc.conf + regexp: tipc + line: install tipc /bin/true when: - disable_strategy | bool - - kernel_module_dccp_disabled | bool + - kernel_module_tipc_disabled | bool - low_complexity | bool + - low_severity | bool - medium_disruption | bool - - medium_severity | bool - reboot_required | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-84136-1 - - CJIS-5.10.1 - - NIST-800-171-3.4.6 + - CCE-84065-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - PCI-DSS-Req-1.4.2 - disable_strategy - - kernel_module_dccp_disabled + - kernel_module_tipc_disabled - low_complexity + - low_severity - medium_disruption - - medium_severity - reboot_required -- name: Ensure kernel module 'dccp' is blacklisted +- name: Ensure kernel module 'tipc' is blacklisted lineinfile: create: true - dest: /etc/modprobe.d/dccp.conf - regexp: ^blacklist dccp$ - line: blacklist dccp + dest: /etc/modprobe.d/tipc.conf + regexp: ^blacklist tipc$ + line: blacklist tipc when: - disable_strategy | bool - - kernel_module_dccp_disabled | bool + - kernel_module_tipc_disabled | bool - low_complexity | bool + - low_severity | bool - medium_disruption | bool - - medium_severity | bool - reboot_required | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-84136-1 - - CJIS-5.10.1 - - NIST-800-171-3.4.6 + - CCE-84065-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - PCI-DSS-Req-1.4.2 - disable_strategy - - kernel_module_dccp_disabled + - kernel_module_tipc_disabled - low_complexity + - low_severity - medium_disruption - - medium_severity - - reboot_required - -- name: Ensure kernel module 'sctp' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/sctp.conf - regexp: sctp - line: install sctp /bin/true - when: - - disable_strategy | bool - - kernel_module_sctp_disabled | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-84139-5 - - CJIS-5.10.1 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-1.4.2 - - disable_strategy - - kernel_module_sctp_disabled - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - -- name: Ensure kernel module 'sctp' is blacklisted - lineinfile: - create: true - dest: /etc/modprobe.d/sctp.conf - regexp: ^blacklist sctp$ - line: blacklist sctp - when: - - disable_strategy | bool - - kernel_module_sctp_disabled | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-84139-5 - - CJIS-5.10.1 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSS-Req-1.4.2 - - disable_strategy - - kernel_module_sctp_disabled - - low_complexity - - medium_disruption - - medium_severity - reboot_required - name: Gather the package facts @@ -24861,9 +27553,12 @@ - unknown_strategy | bool - wireless_disable_interfaces | bool -- name: Check if NetworkManager is installed - ansible.builtin.package_facts: - manager: auto +- name: Ensure NetworkManager is installed + ansible.builtin.package: + name: '{{ item }}' + state: present + with_items: + - NetworkManager tags: - CCE-84066-0 - NIST-800-171-3.1.16 @@ -24888,34 +27583,6 @@ - unknown_strategy | bool - wireless_disable_interfaces | bool -- name: Error message when NetworkManager not installed - fail: - msg: NetworkManager package not installed - when: - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - wireless_disable_interfaces | bool - - '''NetworkManager'' not in ansible_facts.packages' - tags: - - CCE-84066-0 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - PCI-DSS-Req-1.3.3 - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - - wireless_disable_interfaces - - name: Deactivate Wireless Network Interfaces command: nmcli radio wifi off when: @@ -26083,147 +28750,866 @@ - medium_severity - no_reboot_needed -- name: Disable service autofs - block: - - name: Disable service autofs - systemd: - name: autofs.service - enabled: 'no' - state: stopped - masked: 'yes' - ignore_errors: 'yes' - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_autofs_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Test for existence /sbin/auditctl + stat: + path: /sbin/auditctl + register: file_exists tags: - - CCE-83850-8 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_autofs_disabled - -- name: Unit Socket Exists - autofs.socket - command: systemctl list-unit-files autofs.socket - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false when: - - disable_strategy | bool + - configure_strategy | bool + - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_autofs_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83850-8 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_autofs_disabled -- name: Disable socket autofs - systemd: - name: autofs.socket - enabled: 'no' - state: stopped - masked: 'yes' +- name: Ensure group owner 0 on /sbin/auditctl + file: + path: /sbin/auditctl + group: '0' when: - - disable_strategy | bool + - configure_strategy | bool + - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_autofs_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"autofs.socket" in socket_file_exists.stdout_lines[1]' + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-83850-8 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_autofs_disabled -- name: Ensure kernel module 'cramfs' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/cramfs.conf - regexp: cramfs - line: install cramfs /bin/true - when: - - disable_strategy | bool - - kernel_module_cramfs_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Test for existence /sbin/aureport + stat: + path: /sbin/aureport + register: file_exists tags: - - CCE-83853-2 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_cramfs_disabled + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries - low_complexity - - low_severity - - medium_disruption - - reboot_required + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool -- name: Ensure kernel module 'cramfs' is blacklisted - lineinfile: - create: true - dest: /etc/modprobe.d/cramfs.conf - regexp: ^blacklist cramfs$ - line: blacklist cramfs +- name: Ensure group owner 0 on /sbin/aureport + file: + path: /sbin/aureport + group: '0' when: - - disable_strategy | bool - - kernel_module_cramfs_disabled | bool + - configure_strategy | bool + - file_groupownership_audit_binaries | bool - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-83853-2 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_cramfs_disabled + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries - low_complexity - - low_severity - - medium_disruption - - reboot_required + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/ausearch + stat: + path: /sbin/ausearch + register: file_exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure group owner 0 on /sbin/ausearch + file: + path: /sbin/ausearch + group: '0' + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/autrace + stat: + path: /sbin/autrace + register: file_exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure group owner 0 on /sbin/autrace + file: + path: /sbin/autrace + group: '0' + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/auditd + stat: + path: /sbin/auditd + register: file_exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure group owner 0 on /sbin/auditd + file: + path: /sbin/auditd + group: '0' + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/audispd + stat: + path: /sbin/audispd + register: file_exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure group owner 0 on /sbin/audispd + file: + path: /sbin/audispd + group: '0' + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/augenrules + stat: + path: /sbin/augenrules + register: file_exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure group owner 0 on /sbin/augenrules + file: + path: /sbin/augenrules + group: '0' + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/auditctl + stat: + path: /sbin/auditctl + register: file_exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /sbin/auditctl + file: + path: /sbin/auditctl + owner: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/aureport + stat: + path: /sbin/aureport + register: file_exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /sbin/aureport + file: + path: /sbin/aureport + owner: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/ausearch + stat: + path: /sbin/ausearch + register: file_exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /sbin/ausearch + file: + path: /sbin/ausearch + owner: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/autrace + stat: + path: /sbin/autrace + register: file_exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /sbin/autrace + file: + path: /sbin/autrace + owner: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/auditd + stat: + path: /sbin/auditd + register: file_exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /sbin/auditd + file: + path: /sbin/auditd + owner: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/audispd + stat: + path: /sbin/audispd + register: file_exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /sbin/audispd + file: + path: /sbin/audispd + owner: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/augenrules + stat: + path: /sbin/augenrules + register: file_exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure owner 0 on /sbin/augenrules + file: + path: /sbin/augenrules + owner: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/auditctl + stat: + path: /sbin/auditctl + register: file_exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/auditctl + file: + path: /sbin/auditctl + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/aureport + stat: + path: /sbin/aureport + register: file_exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/aureport + file: + path: /sbin/aureport + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/ausearch + stat: + path: /sbin/ausearch + register: file_exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/ausearch + file: + path: /sbin/ausearch + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/autrace + stat: + path: /sbin/autrace + register: file_exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/autrace + file: + path: /sbin/autrace + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/auditd + stat: + path: /sbin/auditd + register: file_exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/auditd + file: + path: /sbin/auditd + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/audispd + stat: + path: /sbin/audispd + register: file_exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/audispd + file: + path: /sbin/audispd + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/augenrules + stat: + path: /sbin/augenrules + register: file_exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/augenrules + file: + path: /sbin/augenrules + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed - name: Ensure kernel module 'squashfs' is disabled lineinfile: @@ -26849,135 +30235,6 @@ - mount_option_dev_shm_nosuid - no_reboot_needed -- name: 'Add grpquota Option to /home: Check information associated to mountpoint' - command: findmnt --fstab '/home' - register: device_name - failed_when: device_name.rc > 1 - changed_when: false - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_grpquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-86042-9 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_grpquota - - no_reboot_needed - -- name: 'Add grpquota Option to /home: Create mount_info dictionary variable' - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - '{{ device_name.stdout_lines[0].split() | list | lower }}' - - '{{ device_name.stdout_lines[1].split() | list }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_grpquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - tags: - - CCE-86042-9 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_grpquota - - no_reboot_needed - -- name: 'Add grpquota Option to /home: If /home not mounted, craft mount_info manually' - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - - target - - source - - fstype - - options - - - /home - - '' - - '' - - defaults - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_grpquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) - - (device_name.stdout | length == 0) - tags: - - CCE-86042-9 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_grpquota - - no_reboot_needed - -- name: 'Add grpquota Option to /home: Make sure grpquota option is part of the to /home options' - set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',grpquota'' }) }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_grpquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "grpquota" not in mount_info.options - tags: - - CCE-86042-9 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_grpquota - - no_reboot_needed - -- name: 'Add grpquota Option to /home: Ensure /home is mounted with grpquota option' - mount: - path: /home - src: '{{ mount_info.source }}' - opts: '{{ mount_info.options }}' - state: mounted - fstype: '{{ mount_info.fstype }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_grpquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) - tags: - - CCE-86042-9 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_grpquota - - no_reboot_needed - - name: 'Add nodev Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name @@ -27256,135 +30513,6 @@ - mount_option_home_nosuid - no_reboot_needed -- name: 'Add usrquota Option to /home: Check information associated to mountpoint' - command: findmnt --fstab '/home' - register: device_name - failed_when: device_name.rc > 1 - changed_when: false - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_usrquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-86036-1 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_usrquota - - no_reboot_needed - -- name: 'Add usrquota Option to /home: Create mount_info dictionary variable' - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - '{{ device_name.stdout_lines[0].split() | list | lower }}' - - '{{ device_name.stdout_lines[1].split() | list }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_usrquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - tags: - - CCE-86036-1 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_usrquota - - no_reboot_needed - -- name: 'Add usrquota Option to /home: If /home not mounted, craft mount_info manually' - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - - target - - source - - fstype - - options - - - /home - - '' - - '' - - defaults - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_usrquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) - - (device_name.stdout | length == 0) - tags: - - CCE-86036-1 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_usrquota - - no_reboot_needed - -- name: 'Add usrquota Option to /home: Make sure usrquota option is part of the to /home options' - set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',usrquota'' }) }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_usrquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "usrquota" not in mount_info.options - tags: - - CCE-86036-1 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_usrquota - - no_reboot_needed - -- name: 'Add usrquota Option to /home: Ensure /home is mounted with usrquota option' - mount: - path: /home - src: '{{ mount_info.source }}' - opts: '{{ mount_info.options }}' - state: mounted - fstype: '{{ mount_info.fstype }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_home_usrquota | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) - tags: - - CCE-86036-1 - - NIST-800-53-CM-6(b) - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_home_usrquota - - no_reboot_needed - - name: 'Add nodev Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' register: device_name @@ -28940,130 +32068,6 @@ - mount_option_var_nodev - no_reboot_needed -- name: 'Add noexec Option to /var: Check information associated to mountpoint' - command: findmnt --fstab '/var' - register: device_name - failed_when: device_name.rc > 1 - changed_when: false - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_noexec | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83865-6 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_noexec - - no_reboot_needed - -- name: 'Add noexec Option to /var: Create mount_info dictionary variable' - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - '{{ device_name.stdout_lines[0].split() | list | lower }}' - - '{{ device_name.stdout_lines[1].split() | list }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_noexec | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - tags: - - CCE-83865-6 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_noexec - - no_reboot_needed - -- name: 'Add noexec Option to /var: If /var not mounted, craft mount_info manually' - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - - target - - source - - fstype - - options - - - /var - - '' - - '' - - defaults - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_noexec | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) - - (device_name.stdout | length == 0) - tags: - - CCE-83865-6 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_noexec - - no_reboot_needed - -- name: 'Add noexec Option to /var: Make sure noexec option is part of the to /var options' - set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_noexec | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "noexec" not in mount_info.options - tags: - - CCE-83865-6 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_noexec - - no_reboot_needed - -- name: 'Add noexec Option to /var: Ensure /var is mounted with noexec option' - mount: - path: /var - src: '{{ mount_info.source }}' - opts: '{{ mount_info.options }}' - state: mounted - fstype: '{{ mount_info.fstype }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_noexec | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) - tags: - - CCE-83865-6 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_noexec - - no_reboot_needed - - name: 'Add nosuid Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' register: device_name @@ -30888,6 +33892,52 @@ - medium_severity - no_reboot_needed +- name: Ensure dhcp-server is removed + package: + name: dhcp-server + state: absent + tags: + - CCE-84240-1 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_dhcp_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_dhcp_removed | bool + +- name: Ensure bind is removed + package: + name: bind + state: absent + tags: + - CCE-86505-5 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_bind_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_bind_removed | bool + - name: Ensure vsftpd is removed package: name: vsftpd @@ -31036,6 +34086,79 @@ - postfix_network_listening_disabled - restrict_strategy +- name: Disable service rpcbind + block: + - name: Disable service rpcbind + systemd: + name: rpcbind.service + enabled: 'no' + state: stopped + masked: 'yes' + ignore_errors: 'yes' + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - service_rpcbind_disabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-84245-0 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rpcbind_disabled + +- name: Unit Socket Exists - rpcbind.socket + command: systemctl list-unit-files rpcbind.socket + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - service_rpcbind_disabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-84245-0 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rpcbind_disabled + +- name: Disable socket rpcbind + systemd: + name: rpcbind.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - service_rpcbind_disabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"rpcbind.socket" in socket_file_exists.stdout_lines[1]' + tags: + - CCE-84245-0 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - service_rpcbind_disabled + - name: Disable service nfs-server block: - name: Disable service nfs-server @@ -31196,95 +34319,25 @@ - medium_severity - no_reboot_needed -- name: Ensure xinetd is removed +- name: Ensure rsync-daemon is removed package: - name: xinetd + name: rsync-daemon state: absent + tags: + - CCE-86336-5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_rsync_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - - low_severity | bool + - medium_severity | bool - no_reboot_needed | bool - - package_xinetd_removed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-84155-1 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_xinetd_removed - -- name: Ensure ypbind is removed - package: - name: ypbind - state: absent - tags: - - CCE-84151-0 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_ypbind_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_ypbind_removed | bool - - unknown_severity | bool - -- name: Ensure ypserv is removed - package: - name: ypserv - state: absent - tags: - - CCE-84152-8 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - PCI-DSS-Req-2.2.4 - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_ypserv_removed - when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_ypserv_removed | bool - -- name: Ensure rsh is removed - package: - name: rsh - state: absent - tags: - - CCE-84142-9 - - NIST-800-171-3.1.13 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_rsh_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_rsh_removed | bool - - unknown_severity | bool + - package_rsync_removed | bool - block: - name: Detect .rhosts files in users home directories @@ -31327,26 +34380,6 @@ - no_rsh_trust_files | bool - restrict_strategy | bool -- name: Ensure talk is removed - package: - name: talk - state: absent - tags: - - CCE-84157-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_talk_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_talk_removed | bool - - name: Ensure telnet-server is removed package: name: telnet-server @@ -31435,6 +34468,29 @@ - no_reboot_needed | bool - package_tftp_removed | bool +- name: Ensure cups is removed + package: + name: cups + state: absent + tags: + - CCE-86300-1 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_cups_removed + - unknown_severity + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_cups_removed | bool + - unknown_severity | bool + - name: Ensure squid is removed package: name: squid @@ -31642,6 +34698,124 @@ - medium_severity - no_reboot_needed +- name: Find root:root-owned keys + command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group root -perm /u+xs,g+xwrs,o+xwrt + register: root_owned_keys + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_permissions_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90820-2 + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 + - configure_strategy + - file_permissions_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set permissions for root:root-owned keys + file: + path: '{{ item }}' + mode: u-xs,g-xwrs,o-xwrt + state: file + with_items: + - '{{ root_owned_keys.stdout_lines }}' + when: + - configure_strategy | bool + - file_permissions_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90820-2 + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 + - configure_strategy + - file_permissions_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find root:ssh_keys-owned keys + command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group ssh_keys -perm /u+xs,g+xws,o+xwrt + register: dedicated_group_owned_keys + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_permissions_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90820-2 + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 + - configure_strategy + - file_permissions_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set permissions for root:ssh_keys-owned keys + file: + path: '{{ item }}' + mode: u-xs,g-xws,o-xwrt + state: file + with_items: + - '{{ dedicated_group_owned_keys.stdout_lines }}' + when: + - configure_strategy | bool + - file_permissions_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90820-2 + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 + - configure_strategy + - file_permissions_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/ssh/ file(s) command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex "^.*\.pub$" register: files_found @@ -32279,6 +35453,67 @@ - restrict_strategy - sshd_enable_pam +- name: Enable SSH Warning Banner + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+ + state: absent + - name: Check if /etc/ssh/sshd_config.d exists + stat: + path: /etc/ssh/sshd_config.d + register: _etc_ssh_sshd_config_d_exists + - name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d + find: + paths: /etc/ssh/sshd_config.d + recurse: 'yes' + follow: 'no' + contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+ + register: _etc_ssh_sshd_config_d_has_parameter + when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir + - name: Remove parameter from files in /etc/ssh/sshd_config.d + lineinfile: + path: '{{ item.path }}' + create: false + regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+ + state: absent + with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' + when: _etc_ssh_sshd_config_d_has_parameter.matched + - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + lineinfile: + path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf + create: true + regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+ + line: Banner /etc/issue + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_enable_warning_banner | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-90807-9 + - CJIS-5.5.6 + - NIST-800-171-3.1.9 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_warning_banner + - name: Ensure SSH LoginGraceTime is configured block: - name: Check for duplicate values