From d3790fb57c4b94ecc8d8c32a64036d3719903405 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Thu, 30 Oct 2025 12:05:01 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 3513 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 2456 insertions(+), 1057 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index c12afa4..5e3d55d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -601,7 +601,6 @@ regexp: (?i)^\s*CRYPTO_POLICY.*$ tags: - CCE-83445-7 - - DISA-STIG-RHEL-09-255075 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) @@ -617,7 +616,6 @@ - medium_severity - reboot_required when: - - DISA_STIG_RHEL_09_255075 | bool - configure_ssh_crypto_policy | bool - disable_strategy | bool - low_complexity | bool @@ -647,8 +645,8 @@ - no_reboot_needed | bool - package_gdm_removed | bool -- name: Ensure gdm is removed - package: +- name: 'Remove the GDM Package Group: Ensure gdm is removed' + ansible.builtin.package: name: gdm state: absent when: @@ -761,7 +759,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-88285-2 - DISA-STIG-RHEL-09-271115 @@ -789,7 +786,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-88285-2 - DISA-STIG-RHEL-09-271115 @@ -813,7 +809,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-88285-2 - DISA-STIG-RHEL-09-271115 @@ -896,7 +891,7 @@ - unknown_strategy | bool - name: Disable GNOME3 Automounting - automount - ini_file: + community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount @@ -911,7 +906,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-87734-0 - NIST-800-171-3.1.7 @@ -941,7 +935,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-87734-0 - NIST-800-171-3.1.7 @@ -967,7 +960,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-87734-0 - NIST-800-171-3.1.7 @@ -1030,7 +1022,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90128-0 - DISA-STIG-RHEL-09-271020 @@ -1064,7 +1055,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90128-0 - DISA-STIG-RHEL-09-271020 @@ -1094,7 +1084,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90128-0 - DISA-STIG-RHEL-09-271020 @@ -1140,7 +1129,7 @@ - unknown_strategy | bool - name: Disable GNOME3 Automounting - autorun-never - ini_file: + community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: autorun-never @@ -1157,7 +1146,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90257-7 - DISA-STIG-RHEL-09-271030 @@ -1189,7 +1177,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90257-7 - DISA-STIG-RHEL-09-271030 @@ -1217,7 +1204,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90257-7 - DISA-STIG-RHEL-09-271030 @@ -1262,7 +1248,7 @@ - unknown_strategy | bool - name: Set GNOME3 Screensaver Inactivity Timeout - ini_file: + community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/session option: idle-delay @@ -1278,7 +1264,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86510-5 - CJIS-5.5.5 @@ -1307,7 +1292,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86510-5 - CJIS-5.5.5 @@ -1353,7 +1337,7 @@ - unknown_strategy | bool - name: Set GNOME3 Screensaver Lock Delay After Activation Period - ini_file: + community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver option: lock-delay @@ -1369,7 +1353,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86954-5 - DISA-STIG-RHEL-09-271075 @@ -1397,7 +1380,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86954-5 - DISA-STIG-RHEL-09-271075 @@ -1452,7 +1434,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-87491-7 - DISA-STIG-RHEL-09-271080 @@ -1476,7 +1457,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-87491-7 - DISA-STIG-RHEL-09-271080 @@ -1530,7 +1510,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-85971-0 - DISA-STIG-RHEL-09-271070 @@ -1557,7 +1536,6 @@ - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-85971-0 - DISA-STIG-RHEL-09-271070 @@ -2060,7 +2038,7 @@ - no_reboot_needed | bool - name: Ensure GPG check is globally activated - ini_file: + community.general.ini_file: dest: /etc/dnf/dnf.conf section: main option: gpgcheck @@ -2359,6 +2337,25 @@ - no_reboot_needed - restrict_strategy +- name: Set the file_groupowner_etc_issue_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_issue_newgroup: '0' + tags: + - CCE-86699-6 + - configure_strategy + - file_groupowner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupowner_etc_issue | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/issue stat: path: /etc/issue @@ -2379,10 +2376,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/issue +- name: Ensure group owner on /etc/issue file: path: /etc/issue - group: '0' + group: '{{ file_groupowner_etc_issue_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_issue | bool @@ -2400,6 +2397,27 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_etc_issue_net_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_issue_net_newgroup: '0' + tags: + - CCE-86052-8 + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.8 + - configure_strategy + - file_groupowner_etc_issue_net + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupowner_etc_issue_net | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -2422,10 +2440,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/issue.net +- name: Ensure group owner on /etc/issue.net file: path: /etc/issue.net - group: '0' + group: '{{ file_groupowner_etc_issue_net_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_issue_net | bool @@ -2445,6 +2463,25 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_etc_motd_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_motd_newgroup: '0' + tags: + - CCE-86697-0 + - configure_strategy + - file_groupowner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupowner_etc_motd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/motd stat: path: /etc/motd @@ -2465,10 +2502,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/motd +- name: Ensure group owner on /etc/motd file: path: /etc/motd - group: '0' + group: '{{ file_groupowner_etc_motd_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_motd | bool @@ -2486,6 +2523,25 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_issue_newown variable if represented by uid + set_fact: + file_owner_etc_issue_newown: '0' + tags: + - CCE-86700-2 + - configure_strategy + - file_owner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_owner_etc_issue | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/issue stat: path: /etc/issue @@ -2506,10 +2562,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/issue +- name: Ensure owner on /etc/issue file: path: /etc/issue - owner: '0' + owner: '{{ file_owner_etc_issue_newown }}' when: - configure_strategy | bool - file_owner_etc_issue | bool @@ -2527,6 +2583,27 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_issue_net_newown variable if represented by uid + set_fact: + file_owner_etc_issue_net_newown: '0' + tags: + - CCE-86057-7 + - PCI-DSSv4-1.2 + - PCI-DSSv4-1.2.8 + - configure_strategy + - file_owner_etc_issue_net + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_owner_etc_issue_net | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/issue.net stat: path: /etc/issue.net @@ -2549,10 +2626,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/issue.net +- name: Ensure owner on /etc/issue.net file: path: /etc/issue.net - owner: '0' + owner: '{{ file_owner_etc_issue_net_newown }}' when: - configure_strategy | bool - file_owner_etc_issue_net | bool @@ -2572,6 +2649,25 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_motd_newown variable if represented by uid + set_fact: + file_owner_etc_motd_newown: '0' + tags: + - CCE-86698-8 + - configure_strategy + - file_owner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_owner_etc_motd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/motd stat: path: /etc/motd @@ -2592,10 +2688,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/motd +- name: Ensure owner on /etc/motd file: path: /etc/motd - owner: '0' + owner: '{{ file_owner_etc_motd_newown }}' when: - configure_strategy | bool - file_owner_etc_motd | bool @@ -2768,7 +2864,7 @@ - unknown_strategy | bool - name: Enable GNOME3 Login Warning Banner - ini_file: + community.general.ini_file: dest: /etc/dconf/db/distro.d/00-security-settings section: org/gnome/login-screen option: banner-message-enable @@ -2947,7 +3043,7 @@ - unknown_strategy - name: Set the GNOME3 Login Warning Banner Text - ini_file: + community.general.ini_file: dest: /etc/dconf/db/distro.d/00-security-settings section: org/gnome/login-screen option: banner-message-text @@ -4128,7 +4224,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) + regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_edit when: @@ -4906,7 +5002,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) + regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_edit when: @@ -6930,7 +7026,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 - DISA-STIG-RHEL-09-611105 @@ -6959,7 +7055,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 - DISA-STIG-RHEL-09-611105 @@ -6989,7 +7085,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 - DISA-STIG-RHEL-09-611105 @@ -7043,7 +7139,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 - CJIS-5.6.2.1.1 @@ -7073,7 +7169,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 - CJIS-5.6.2.1.1 @@ -7103,7 +7199,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 - CJIS-5.6.2.1.1 @@ -7159,7 +7255,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-86356-3 - DISA-STIG-RHEL-09-611060 @@ -7211,7 +7307,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 - DISA-STIG-RHEL-09-611125 @@ -7239,7 +7335,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 - DISA-STIG-RHEL-09-611125 @@ -7267,7 +7363,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 - DISA-STIG-RHEL-09-611125 @@ -7319,7 +7415,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 - DISA-STIG-RHEL-09-611130 @@ -7348,7 +7444,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 - DISA-STIG-RHEL-09-611130 @@ -7377,7 +7473,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 - DISA-STIG-RHEL-09-611130 @@ -7434,7 +7530,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 - CJIS-5.6.2.1.1 @@ -7467,7 +7563,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 - CJIS-5.6.2.1.1 @@ -7500,7 +7596,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 - CJIS-5.6.2.1.1 @@ -9744,8 +9840,9 @@ - restrict_strategy - name: Ensure interactive local users are the group-owners of their respective initialization files - ansible.builtin.command: - cmd: awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6"/.[^\.]?*") }' /etc/passwd + ansible.builtin.shell: + cmd: 'awk -F: ''{if ($4 >= 1000 && $4 != 65534) print $4":"$6}'' /etc/passwd | while IFS=: read -r gid home; do find -P + "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chgrp -f --no-dereference -- $gid "{}" \;; done' tags: - CCE-87037-8 - accounts_user_dot_group_ownership @@ -9904,8 +10001,9 @@ - restrict_strategy - name: Ensure interactive local users are the owners of their respective initialization files - ansible.builtin.command: - cmd: awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chown -f " $3" "$6"/.[^\.]?*") }' /etc/passwd + ansible.builtin.shell: + cmd: 'awk -F: ''{if ($3 >= 1000 && $3 != 65534) print $3":"$6}'' /etc/passwd | while IFS=: read -r uid home; do find -P + "$home" -maxdepth 1 -type f -name "\.[^.]*" -exec chown -f --no-dereference -- $uid "{}" \;; done' tags: - CCE-87038-6 - accounts_user_dot_user_ownership @@ -10555,6 +10653,38 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_grub2_cfg_newgroup variable if represented by gid + set_fact: + file_groupowner_grub2_cfg_newgroup: '0' + when: + - DISA_STIG_RHEL_09_212025 | bool + - configure_strategy | bool + - file_groupowner_grub2_cfg | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages ) + tags: + - CCE-83848-2 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-212025 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg @@ -10588,10 +10718,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /boot/grub2/grub.cfg +- name: Ensure group owner on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg - group: '0' + group: '{{ file_groupowner_grub2_cfg_newgroup }}' when: - DISA_STIG_RHEL_09_212025 | bool - configure_strategy | bool @@ -10648,6 +10778,36 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_user_cfg_newgroup variable if represented by gid + set_fact: + file_groupowner_user_cfg_newgroup: '0' + when: + - configure_strategy | bool + - file_groupowner_user_cfg | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages ) + tags: + - CCE-86010-6 + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_user_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /boot/grub2/user.cfg stat: path: /boot/grub2/user.cfg @@ -10679,10 +10839,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /boot/grub2/user.cfg +- name: Ensure group owner on /boot/grub2/user.cfg file: path: /boot/grub2/user.cfg - group: '0' + group: '{{ file_groupowner_user_cfg_newgroup }}' when: - configure_strategy | bool - file_groupowner_user_cfg | bool @@ -10739,6 +10899,38 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_grub2_cfg_newown variable if represented by uid + set_fact: + file_owner_grub2_cfg_newown: '0' + when: + - DISA_STIG_RHEL_09_212030 | bool + - configure_strategy | bool + - file_owner_grub2_cfg | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages ) + tags: + - CCE-83845-8 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-212030 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg @@ -10772,10 +10964,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /boot/grub2/grub.cfg +- name: Ensure owner on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg - owner: '0' + owner: '{{ file_owner_grub2_cfg_newown }}' when: - DISA_STIG_RHEL_09_212030 | bool - configure_strategy | bool @@ -10832,6 +11024,36 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_user_cfg_newown variable if represented by uid + set_fact: + file_owner_user_cfg_newown: '0' + when: + - configure_strategy | bool + - file_owner_user_cfg | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list' + - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages ) + - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages + and not "openshift-kubelet" in ansible_facts.packages ) + tags: + - CCE-86016-3 + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_user_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /boot/grub2/user.cfg stat: path: /boot/grub2/user.cfg @@ -10863,10 +11085,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /boot/grub2/user.cfg +- name: Ensure owner on /boot/grub2/user.cfg file: path: /boot/grub2/user.cfg - owner: '0' + owner: '{{ file_owner_user_cfg_newown }}' when: - configure_strategy | bool - file_owner_user_cfg | bool @@ -12178,7 +12400,7 @@ - restrict_strategy - name: Ensure journald is configured to compress large log files - Add missing configuration to correct section - ini_file: + community.general.ini_file: path: '{{item}}' section: Journal option: Compress @@ -12206,7 +12428,7 @@ - restrict_strategy - name: Ensure journald is configured to compress large log files - Add configuration to new remediation file - ini_file: + community.general.ini_file: path: /etc/systemd/journald.conf.d/complianceascode_hardening.conf section: Journal option: Compress @@ -12304,7 +12526,7 @@ - restrict_strategy - name: Ensure journald is configured to write log files to persistent disk - Add missing configuration to correct section - ini_file: + community.general.ini_file: path: '{{item}}' section: Journal option: Storage @@ -12332,7 +12554,7 @@ - restrict_strategy - name: Ensure journald is configured to write log files to persistent disk - Add configuration to new remediation file - ini_file: + community.general.ini_file: path: /etc/systemd/journald.conf.d/complianceascode_hardening.conf section: Journal option: Storage @@ -16405,6 +16627,15 @@ - name: Service facts ansible.builtin.service_facts: null + when: + - DISA_STIG_RHEL_09_291040 | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - wireless_disable_interfaces | bool + - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-84066-0 - DISA-STIG-RHEL-09-291040 @@ -16424,14 +16655,6 @@ - no_reboot_needed - unknown_strategy - wireless_disable_interfaces - when: - - DISA_STIG_RHEL_09_291040 | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - wireless_disable_interfaces | bool - name: Ensure NetworkManager is installed ansible.builtin.package: @@ -16439,6 +16662,15 @@ state: present with_items: - NetworkManager + when: + - DISA_STIG_RHEL_09_291040 | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - wireless_disable_interfaces | bool + - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-84066-0 - DISA-STIG-RHEL-09-291040 @@ -16458,14 +16690,6 @@ - no_reboot_needed - unknown_strategy - wireless_disable_interfaces - when: - - DISA_STIG_RHEL_09_291040 | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - wireless_disable_interfaces | bool - name: NetworkManager Deactivate Wireless Network Interfaces command: nmcli radio wifi off @@ -16477,6 +16701,7 @@ - no_reboot_needed | bool - unknown_strategy | bool - wireless_disable_interfaces | bool + - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '''NetworkManager'' in ansible_facts.packages' - ansible_facts.services['NetworkManager.service'].state == 'running' tags: @@ -16503,6 +16728,7 @@ ansible.builtin.set_fact: excluded_fstypes: - afs + - autofs - ceph - cifs - smb3 @@ -16773,6 +16999,31 @@ - no_reboot_needed | bool - restrict_strategy | bool +- name: Set the file_groupowner_backup_etc_group_newgroup variable if represented by gid + set_fact: + file_groupowner_backup_etc_group_newgroup: '0' + tags: + - CCE-83928-2 + - DISA-STIG-RHEL-09-232105 + - NIST-800-53-AC-6 (1) + - PCI-DSS-Req-8.7 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232105 | bool + - configure_strategy | bool + - file_groupowner_backup_etc_group | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/group- stat: path: /etc/group- @@ -16799,10 +17050,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/group- +- name: Ensure group owner on /etc/group- file: path: /etc/group- - group: '0' + group: '{{ file_groupowner_backup_etc_group_newgroup }}' when: - DISA_STIG_RHEL_09_232105 | bool - configure_strategy | bool @@ -16826,6 +17077,29 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_backup_etc_gshadow_newgroup variable if represented by gid + set_fact: + file_groupowner_backup_etc_gshadow_newgroup: '0' + tags: + - CCE-83951-4 + - DISA-STIG-RHEL-09-232125 + - NIST-800-53-AC-6 (1) + - PCI-DSS-Req-8.7 + - configure_strategy + - file_groupowner_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232125 | bool + - configure_strategy | bool + - file_groupowner_backup_etc_gshadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -16850,10 +17124,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/gshadow- +- name: Ensure group owner on /etc/gshadow- file: path: /etc/gshadow- - group: '0' + group: '{{ file_groupowner_backup_etc_gshadow_newgroup }}' when: - DISA_STIG_RHEL_09_232125 | bool - configure_strategy | bool @@ -16875,6 +17149,31 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_backup_etc_passwd_newgroup variable if represented by gid + set_fact: + file_groupowner_backup_etc_passwd_newgroup: '0' + tags: + - CCE-83933-2 + - DISA-STIG-RHEL-09-232145 + - NIST-800-53-AC-6 (1) + - PCI-DSS-Req-8.7 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232145 | bool + - configure_strategy | bool + - file_groupowner_backup_etc_passwd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -16901,10 +17200,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/passwd- +- name: Ensure group owner on /etc/passwd- file: path: /etc/passwd- - group: '0' + group: '{{ file_groupowner_backup_etc_passwd_newgroup }}' when: - DISA_STIG_RHEL_09_232145 | bool - configure_strategy | bool @@ -16928,6 +17227,30 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_backup_etc_shadow_newgroup variable if represented by gid + set_fact: + file_groupowner_backup_etc_shadow_newgroup: '0' + tags: + - CCE-83938-1 + - DISA-STIG-RHEL-09-232165 + - PCI-DSS-Req-8.7 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232165 | bool + - configure_strategy | bool + - file_groupowner_backup_etc_shadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -16953,10 +17276,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/shadow- +- name: Ensure group owner on /etc/shadow- file: path: /etc/shadow- - group: '0' + group: '{{ file_groupowner_backup_etc_shadow_newgroup }}' when: - DISA_STIG_RHEL_09_232165 | bool - configure_strategy | bool @@ -16979,6 +17302,33 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_etc_group_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_group_newgroup: '0' + tags: + - CCE-83945-6 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232095 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232095 | bool + - configure_strategy | bool + - file_groupowner_etc_group | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/group stat: path: /etc/group @@ -17007,10 +17357,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/group +- name: Ensure group owner on /etc/group file: path: /etc/group - group: '0' + group: '{{ file_groupowner_etc_group_newgroup }}' when: - DISA_STIG_RHEL_09_232095 | bool - configure_strategy | bool @@ -17036,6 +17386,29 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_etc_gshadow_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_gshadow_newgroup: '0' + tags: + - CCE-83948-0 + - DISA-STIG-RHEL-09-232115 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_groupowner_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232115 | bool + - configure_strategy | bool + - file_groupowner_etc_gshadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -17060,10 +17433,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/gshadow +- name: Ensure group owner on /etc/gshadow file: path: /etc/gshadow - group: '0' + group: '{{ file_groupowner_etc_gshadow_newgroup }}' when: - DISA_STIG_RHEL_09_232115 | bool - configure_strategy | bool @@ -17085,6 +17458,33 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_etc_passwd_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_passwd_newgroup: '0' + tags: + - CCE-83950-6 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232135 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232135 | bool + - configure_strategy | bool + - file_groupowner_etc_passwd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -17113,10 +17513,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/passwd +- name: Ensure group owner on /etc/passwd file: path: /etc/passwd - group: '0' + group: '{{ file_groupowner_etc_passwd_newgroup }}' when: - DISA_STIG_RHEL_09_232135 | bool - configure_strategy | bool @@ -17142,6 +17542,33 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_etc_shadow_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_shadow_newgroup: '0' + tags: + - CCE-83930-8 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232155 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232155 | bool + - configure_strategy | bool + - file_groupowner_etc_shadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -17170,10 +17597,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/shadow +- name: Ensure group owner on /etc/shadow file: path: /etc/shadow - group: '0' + group: '{{ file_groupowner_etc_shadow_newgroup }}' when: - DISA_STIG_RHEL_09_232155 | bool - configure_strategy | bool @@ -17199,6 +17626,27 @@ - medium_severity - no_reboot_needed +- name: Set the file_groupowner_etc_shells_newgroup variable if represented by gid + set_fact: + file_groupowner_etc_shells_newgroup: '0' + tags: + - CCE-90434-2 + - NIST-800-53-AC-3 + - NIST-800-53-MP-2 + - configure_strategy + - file_groupowner_etc_shells + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_groupowner_etc_shells | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/shells stat: path: /etc/shells @@ -17221,10 +17669,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure group owner 0 on /etc/shells +- name: Ensure group owner on /etc/shells file: path: /etc/shells - group: '0' + group: '{{ file_groupowner_etc_shells_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_shells | bool @@ -17244,6 +17692,31 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_backup_etc_group_newown variable if represented by uid + set_fact: + file_owner_backup_etc_group_newown: '0' + tags: + - CCE-83944-9 + - DISA-STIG-RHEL-09-232100 + - NIST-800-53-AC-6 (1) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232100 | bool + - configure_strategy | bool + - file_owner_backup_etc_group | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/group- stat: path: /etc/group- @@ -17270,10 +17743,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/group- +- name: Ensure owner on /etc/group- file: path: /etc/group- - owner: '0' + owner: '{{ file_owner_backup_etc_group_newown }}' when: - DISA_STIG_RHEL_09_232100 | bool - configure_strategy | bool @@ -17297,6 +17770,29 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_backup_etc_gshadow_newown variable if represented by uid + set_fact: + file_owner_backup_etc_gshadow_newown: '0' + tags: + - CCE-83929-0 + - DISA-STIG-RHEL-09-232120 + - NIST-800-53-AC-6 (1) + - PCI-DSS-Req-8.7 + - configure_strategy + - file_owner_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232120 | bool + - configure_strategy | bool + - file_owner_backup_etc_gshadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/gshadow- stat: path: /etc/gshadow- @@ -17321,10 +17817,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/gshadow- +- name: Ensure owner on /etc/gshadow- file: path: /etc/gshadow- - owner: '0' + owner: '{{ file_owner_backup_etc_gshadow_newown }}' when: - DISA_STIG_RHEL_09_232120 | bool - configure_strategy | bool @@ -17346,6 +17842,31 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_backup_etc_passwd_newown variable if represented by uid + set_fact: + file_owner_backup_etc_passwd_newown: '0' + tags: + - CCE-83947-2 + - DISA-STIG-RHEL-09-232140 + - NIST-800-53-AC-6 (1) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232140 | bool + - configure_strategy | bool + - file_owner_backup_etc_passwd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/passwd- stat: path: /etc/passwd- @@ -17372,10 +17893,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/passwd- +- name: Ensure owner on /etc/passwd- file: path: /etc/passwd- - owner: '0' + owner: '{{ file_owner_backup_etc_passwd_newown }}' when: - DISA_STIG_RHEL_09_232140 | bool - configure_strategy | bool @@ -17399,6 +17920,31 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_backup_etc_shadow_newown variable if represented by uid + set_fact: + file_owner_backup_etc_shadow_newown: '0' + tags: + - CCE-83949-8 + - DISA-STIG-RHEL-09-232160 + - NIST-800-53-AC-6 (1) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232160 | bool + - configure_strategy | bool + - file_owner_backup_etc_shadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/shadow- stat: path: /etc/shadow- @@ -17425,10 +17971,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/shadow- +- name: Ensure owner on /etc/shadow- file: path: /etc/shadow- - owner: '0' + owner: '{{ file_owner_backup_etc_shadow_newown }}' when: - DISA_STIG_RHEL_09_232160 | bool - configure_strategy | bool @@ -17452,6 +17998,33 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_group_newown variable if represented by uid + set_fact: + file_owner_etc_group_newown: '0' + tags: + - CCE-83925-8 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232090 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232090 | bool + - configure_strategy | bool + - file_owner_etc_group | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/group stat: path: /etc/group @@ -17480,10 +18053,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/group +- name: Ensure owner on /etc/group file: path: /etc/group - owner: '0' + owner: '{{ file_owner_etc_group_newown }}' when: - DISA_STIG_RHEL_09_232090 | bool - configure_strategy | bool @@ -17509,6 +18082,29 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_gshadow_newown variable if represented by uid + set_fact: + file_owner_etc_gshadow_newown: '0' + tags: + - CCE-83924-1 + - DISA-STIG-RHEL-09-232110 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_owner_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232110 | bool + - configure_strategy | bool + - file_owner_etc_gshadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/gshadow stat: path: /etc/gshadow @@ -17533,10 +18129,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/gshadow +- name: Ensure owner on /etc/gshadow file: path: /etc/gshadow - owner: '0' + owner: '{{ file_owner_etc_gshadow_newown }}' when: - DISA_STIG_RHEL_09_232110 | bool - configure_strategy | bool @@ -17558,6 +18154,33 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_passwd_newown variable if represented by uid + set_fact: + file_owner_etc_passwd_newown: '0' + tags: + - CCE-83943-1 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232130 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232130 | bool + - configure_strategy | bool + - file_owner_etc_passwd | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/passwd stat: path: /etc/passwd @@ -17586,10 +18209,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/passwd +- name: Ensure owner on /etc/passwd file: path: /etc/passwd - owner: '0' + owner: '{{ file_owner_etc_passwd_newown }}' when: - DISA_STIG_RHEL_09_232130 | bool - configure_strategy | bool @@ -17615,6 +18238,33 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_shadow_newown variable if represented by uid + set_fact: + file_owner_etc_shadow_newown: '0' + tags: + - CCE-83926-6 + - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232150 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - DISA_STIG_RHEL_09_232150 | bool + - configure_strategy | bool + - file_owner_etc_shadow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/shadow stat: path: /etc/shadow @@ -17643,10 +18293,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/shadow +- name: Ensure owner on /etc/shadow file: path: /etc/shadow - owner: '0' + owner: '{{ file_owner_etc_shadow_newown }}' when: - DISA_STIG_RHEL_09_232150 | bool - configure_strategy | bool @@ -17672,6 +18322,27 @@ - medium_severity - no_reboot_needed +- name: Set the file_owner_etc_shells_newown variable if represented by uid + set_fact: + file_owner_etc_shells_newown: '0' + tags: + - CCE-90435-9 + - NIST-800-53-AC-3 + - NIST-800-53-MP-2 + - configure_strategy + - file_owner_etc_shells + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - configure_strategy | bool + - file_owner_etc_shells | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - name: Test for existence /etc/shells stat: path: /etc/shells @@ -17694,10 +18365,10 @@ - medium_severity | bool - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/shells +- name: Ensure owner on /etc/shells file: path: /etc/shells - owner: '0' + owner: '{{ file_owner_etc_shells_newown }}' when: - configure_strategy | bool - file_owner_etc_shells | bool @@ -23132,8 +23803,8 @@ - no_reboot_needed | bool - package_mcstrans_removed | bool -- name: Ensure mcstrans is removed - package: +- name: 'Uninstall mcstrans Package: Ensure mcstrans is removed' + ansible.builtin.package: name: mcstrans state: absent when: @@ -23172,8 +23843,8 @@ - no_reboot_needed | bool - package_setroubleshoot_removed | bool -- name: Ensure setroubleshoot is removed - package: +- name: 'Uninstall setroubleshoot Package: Ensure setroubleshoot is removed' + ansible.builtin.package: name: setroubleshoot state: absent when: @@ -23467,19 +24138,19 @@ - NIST-800-53-SC-7(21) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 + - configure_strategy - low_complexity - low_disruption - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed - selinux_policytype when: - DISA_STIG_RHEL_09_431015 | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - no_reboot_needed | bool - selinux_policytype | bool - name: Configure SELinux Policy @@ -23509,11 +24180,11 @@ state: present when: - DISA_STIG_RHEL_09_431015 | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - no_reboot_needed | bool - selinux_policytype | bool - '"kernel" in ansible_facts.packages' tags: @@ -23527,11 +24198,11 @@ - NIST-800-53-SC-7(21) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 + - configure_strategy - low_complexity - low_disruption - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed - selinux_policytype - name: Gather the package facts @@ -23879,11 +24550,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_cron_d_newgroup variable if represented by gid + set_fact: + file_groupowner_cron_d_newgroup: '0' + when: + - DISA_STIG_RHEL_09_232235 | bool + - configure_strategy | bool + - file_groupowner_cron_d | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84177-5 + - DISA-STIG-RHEL-09-232235 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_d + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure group owner on /etc/cron.d/ file: path: /etc/cron.d/ state: directory - group: '0' + group: '{{ file_groupowner_cron_d_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool @@ -23932,11 +24629,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_cron_daily_newgroup variable if represented by gid + set_fact: + file_groupowner_cron_daily_newgroup: '0' + when: + - DISA_STIG_RHEL_09_232235 | bool + - configure_strategy | bool + - file_groupowner_cron_daily | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84170-0 + - DISA-STIG-RHEL-09-232235 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_daily + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure group owner on /etc/cron.daily/ file: path: /etc/cron.daily/ state: directory - group: '0' + group: '{{ file_groupowner_cron_daily_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool @@ -23985,11 +24708,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_cron_hourly_newgroup variable if represented by gid + set_fact: + file_groupowner_cron_hourly_newgroup: '0' + when: + - DISA_STIG_RHEL_09_232235 | bool + - configure_strategy | bool + - file_groupowner_cron_hourly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84186-6 + - DISA-STIG-RHEL-09-232235 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure group owner on /etc/cron.hourly/ file: path: /etc/cron.hourly/ state: directory - group: '0' + group: '{{ file_groupowner_cron_hourly_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool @@ -24038,11 +24787,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_cron_monthly_newgroup variable if represented by gid + set_fact: + file_groupowner_cron_monthly_newgroup: '0' + when: + - DISA_STIG_RHEL_09_232235 | bool + - configure_strategy | bool + - file_groupowner_cron_monthly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84189-0 + - DISA-STIG-RHEL-09-232235 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_monthly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure group owner on /etc/cron.monthly/ file: path: /etc/cron.monthly/ state: directory - group: '0' + group: '{{ file_groupowner_cron_monthly_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool @@ -24091,11 +24866,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_cron_weekly_newgroup variable if represented by gid + set_fact: + file_groupowner_cron_weekly_newgroup: '0' + when: + - DISA_STIG_RHEL_09_232235 | bool + - configure_strategy | bool + - file_groupowner_cron_weekly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84174-2 + - DISA-STIG-RHEL-09-232235 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_weekly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure group owner on /etc/cron.weekly/ file: path: /etc/cron.weekly/ state: directory - group: '0' + group: '{{ file_groupowner_cron_weekly_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool @@ -24144,6 +24945,32 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_crontab_newgroup variable if represented by gid + set_fact: + file_groupowner_crontab_newgroup: '0' + when: + - DISA_STIG_RHEL_09_232235 | bool + - configure_strategy | bool + - file_groupowner_crontab | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84171-8 + - DISA-STIG-RHEL-09-232235 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -24171,10 +24998,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /etc/crontab +- name: Ensure group owner on /etc/crontab file: path: /etc/crontab - group: '0' + group: '{{ file_groupowner_crontab_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool @@ -24224,11 +25051,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_cron_d_newown variable if represented by uid + set_fact: + file_owner_cron_d_newown: '0' + when: + - DISA_STIG_RHEL_09_232230 | bool + - configure_strategy | bool + - file_owner_cron_d | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84169-2 + - DISA-STIG-RHEL-09-232230 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_d + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure owner on directory /etc/cron.d/ file: path: /etc/cron.d/ state: directory - owner: '0' + owner: '{{ file_owner_cron_d_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool @@ -24277,11 +25130,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_cron_daily_newown variable if represented by uid + set_fact: + file_owner_cron_daily_newown: '0' + when: + - DISA_STIG_RHEL_09_232230 | bool + - configure_strategy | bool + - file_owner_cron_daily | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84188-2 + - DISA-STIG-RHEL-09-232230 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_daily + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure owner on directory /etc/cron.daily/ file: path: /etc/cron.daily/ state: directory - owner: '0' + owner: '{{ file_owner_cron_daily_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool @@ -24330,11 +25209,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_cron_hourly_newown variable if represented by uid + set_fact: + file_owner_cron_hourly_newown: '0' + when: + - DISA_STIG_RHEL_09_232230 | bool + - configure_strategy | bool + - file_owner_cron_hourly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84168-4 + - DISA-STIG-RHEL-09-232230 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure owner on directory /etc/cron.hourly/ file: path: /etc/cron.hourly/ state: directory - owner: '0' + owner: '{{ file_owner_cron_hourly_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool @@ -24383,11 +25288,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_cron_monthly_newown variable if represented by uid + set_fact: + file_owner_cron_monthly_newown: '0' + when: + - DISA_STIG_RHEL_09_232230 | bool + - configure_strategy | bool + - file_owner_cron_monthly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84179-1 + - DISA-STIG-RHEL-09-232230 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_monthly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure owner on directory /etc/cron.monthly/ file: path: /etc/cron.monthly/ state: directory - owner: '0' + owner: '{{ file_owner_cron_monthly_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool @@ -24436,11 +25367,37 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_cron_weekly_newown variable if represented by uid + set_fact: + file_owner_cron_weekly_newown: '0' + when: + - DISA_STIG_RHEL_09_232230 | bool + - configure_strategy | bool + - file_owner_cron_weekly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84190-8 + - DISA-STIG-RHEL-09-232230 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_weekly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Ensure owner on directory /etc/cron.weekly/ file: path: /etc/cron.weekly/ state: directory - owner: '0' + owner: '{{ file_owner_cron_weekly_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool @@ -24489,6 +25446,32 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_crontab_newown variable if represented by uid + set_fact: + file_owner_crontab_newown: '0' + when: + - DISA_STIG_RHEL_09_232230 | bool + - configure_strategy | bool + - file_owner_crontab | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-84167-6 + - DISA-STIG-RHEL-09-232230 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/crontab stat: path: /etc/crontab @@ -24516,10 +25499,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /etc/crontab +- name: Ensure owner on /etc/crontab file: path: /etc/crontab - owner: '0' + owner: '{{ file_owner_crontab_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool @@ -24570,7 +25553,7 @@ - no_reboot_needed | bool - name: Find /etc/cron.d/ file(s) - command: 'find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + command: 'find -L /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -24654,7 +25637,7 @@ - no_reboot_needed | bool - name: Find /etc/cron.daily/ file(s) - command: 'find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + command: 'find -L /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -24738,7 +25721,7 @@ - no_reboot_needed | bool - name: Find /etc/cron.hourly/ file(s) - command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + command: 'find -L /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -24822,7 +25805,7 @@ - no_reboot_needed | bool - name: Find /etc/cron.monthly/ file(s) - command: 'find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + command: 'find -L /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -24906,7 +25889,7 @@ - no_reboot_needed | bool - name: Find /etc/cron.weekly/ file(s) - command: 'find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + command: 'find -L /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false @@ -24969,7 +25952,6 @@ manager: auto tags: - CCE-84176-7 - - DISA-STIG-RHEL-09-232265 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 @@ -24981,7 +25963,6 @@ - medium_severity - no_reboot_needed when: - - DISA_STIG_RHEL_09_232265 | bool - configure_strategy | bool - file_permissions_crontab | bool - low_complexity | bool @@ -24994,7 +25975,6 @@ path: /etc/crontab register: file_exists when: - - DISA_STIG_RHEL_09_232265 | bool - configure_strategy | bool - file_permissions_crontab | bool - low_complexity | bool @@ -25004,7 +25984,6 @@ - '"kernel" in ansible_facts.packages' tags: - CCE-84176-7 - - DISA-STIG-RHEL-09-232265 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 @@ -25021,7 +26000,6 @@ path: /etc/crontab mode: u-xs,g-xwrs,o-xwrt when: - - DISA_STIG_RHEL_09_232265 | bool - configure_strategy | bool - file_permissions_crontab | bool - low_complexity | bool @@ -25032,7 +26010,6 @@ - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-84176-7 - - DISA-STIG-RHEL-09-232265 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 @@ -25195,6 +26172,28 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_at_allow_newgroup variable if represented by gid + set_fact: + file_groupowner_at_allow_newgroup: '0' + when: + - configure_strategy | bool + - file_groupowner_at_allow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-87103-8 + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_at_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/at.allow stat: path: /etc/at.allow @@ -25218,10 +26217,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /etc/at.allow +- name: Ensure group owner on /etc/at.allow file: path: /etc/at.allow - group: '0' + group: '{{ file_groupowner_at_allow_newgroup }}' when: - configure_strategy | bool - file_groupowner_at_allow | bool @@ -25265,6 +26264,30 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_cron_allow_newgroup variable if represented by gid + set_fact: + file_groupowner_cron_allow_newgroup: '0' + when: + - configure_strategy | bool + - file_groupowner_cron_allow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86830-7 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_groupowner_cron_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -25290,10 +26313,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /etc/cron.allow +- name: Ensure group owner on /etc/cron.allow file: path: /etc/cron.allow - group: '0' + group: '{{ file_groupowner_cron_allow_newgroup }}' when: - configure_strategy | bool - file_groupowner_cron_allow | bool @@ -25339,6 +26362,30 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_cron_allow_newown variable if represented by uid + set_fact: + file_owner_cron_allow_newown: '0' + when: + - configure_strategy | bool + - file_owner_cron_allow | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86844-8 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2 + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_owner_cron_allow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/cron.allow stat: path: /etc/cron.allow @@ -25364,10 +26411,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /etc/cron.allow +- name: Ensure owner on /etc/cron.allow file: path: /etc/cron.allow - owner: '0' + owner: '{{ file_owner_cron_allow_newown }}' when: - configure_strategy | bool - file_owner_cron_allow | bool @@ -25526,8 +26573,8 @@ - medium_severity - no_reboot_needed -- name: Ensure dhcp-server is removed - package: +- name: 'Uninstall DHCP Server Package: Ensure dhcp-server is removed' + ansible.builtin.package: name: dhcp-server state: absent tags: @@ -25551,8 +26598,8 @@ - no_reboot_needed | bool - package_dhcp_removed | bool -- name: Ensure dnsmasq is removed - package: +- name: 'Uninstall dnsmasq Package: Ensure dnsmasq is removed' + ansible.builtin.package: name: dnsmasq state: absent tags: @@ -25571,8 +26618,8 @@ - no_reboot_needed | bool - package_dnsmasq_removed | bool -- name: Ensure bind is removed - package: +- name: 'Uninstall bind Package: Ensure bind is removed' + ansible.builtin.package: name: bind state: absent tags: @@ -25594,8 +26641,31 @@ - no_reboot_needed | bool - package_bind_removed | bool -- name: Ensure ftp is removed - package: +- name: 'Uninstall bind Package: Ensure bind9.18 is removed' + ansible.builtin.package: + name: bind9.18 + state: absent + tags: + - CCE-86505-5 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_bind_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_bind_removed | bool + +- name: 'Remove ftp Package: Ensure ftp is removed' + ansible.builtin.package: name: ftp state: absent tags: @@ -25616,8 +26686,8 @@ - no_reboot_needed | bool - package_ftp_removed | bool -- name: Ensure vsftpd is removed - package: +- name: 'Uninstall vsftpd Package: Ensure vsftpd is removed' + ansible.builtin.package: name: vsftpd state: absent tags: @@ -25645,8 +26715,8 @@ - no_reboot_needed | bool - package_vsftpd_removed | bool -- name: Ensure httpd is removed - package: +- name: 'Uninstall httpd Package: Ensure httpd is removed' + ansible.builtin.package: name: httpd state: absent tags: @@ -25668,8 +26738,8 @@ - package_httpd_removed | bool - unknown_severity | bool -- name: Ensure nginx is removed - package: +- name: 'Uninstall nginx Package: Ensure nginx is removed' + ansible.builtin.package: name: nginx state: absent tags: @@ -25691,8 +26761,8 @@ - package_nginx_removed | bool - unknown_severity | bool -- name: Ensure cyrus-imapd is removed - package: +- name: 'Uninstall cyrus-imapd Package: Ensure cyrus-imapd is removed' + ansible.builtin.package: name: cyrus-imapd state: absent tags: @@ -25711,8 +26781,8 @@ - package_cyrus_imapd_removed | bool - unknown_severity | bool -- name: Ensure dovecot is removed - package: +- name: 'Uninstall dovecot Package: Ensure dovecot is removed' + ansible.builtin.package: name: dovecot state: absent tags: @@ -25731,8 +26801,8 @@ - package_dovecot_removed | bool - unknown_severity | bool -- name: Ensure openldap-clients is removed - package: +- name: 'Ensure LDAP client is not installed: Ensure openldap-clients is removed' + ansible.builtin.package: name: openldap-clients state: absent tags: @@ -26271,8 +27341,8 @@ - medium_severity - no_reboot_needed -- name: Ensure rsync-daemon is removed - package: +- name: 'Uninstall rsync Package: Ensure rsync-daemon is removed' + ansible.builtin.package: name: rsync-daemon state: absent tags: @@ -26291,107 +27361,6 @@ - no_reboot_needed | bool - package_rsync_removed | bool -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84155-1 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_xinetd_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_xinetd_removed | bool - -- name: Ensure xinetd is removed - package: - name: xinetd - state: absent - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_xinetd_removed | bool - - '"kernel" in ansible_facts.packages' - tags: - - CCE-84155-1 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_xinetd_removed - -- name: Ensure ypbind is removed - package: - name: ypbind - state: absent - tags: - - CCE-84151-0 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - low_complexity - - low_disruption - - no_reboot_needed - - package_ypbind_removed - - unknown_severity - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_ypbind_removed | bool - - unknown_severity | bool - -- name: Ensure ypserv is removed - package: - name: ypserv - state: absent - tags: - - CCE-84152-8 - - DISA-STIG-RHEL-09-215030 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - PCI-DSS-Req-2.2.2 - - PCI-DSSv4-2.2 - - PCI-DSSv4-2.2.4 - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_ypserv_removed - when: - - DISA_STIG_RHEL_09_215030 | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_ypserv_removed | bool - - name: Gather the package facts package_facts: manager: auto @@ -26495,8 +27464,8 @@ - no_rsh_trust_files - restrict_strategy -- name: Ensure telnet-server is removed - package: +- name: 'Uninstall telnet-server Package: Ensure telnet-server is removed' + ansible.builtin.package: name: telnet-server state: absent tags: @@ -26523,8 +27492,8 @@ - no_reboot_needed | bool - package_telnet_server_removed | bool -- name: Ensure telnet is removed - package: +- name: 'Remove telnet Clients: Ensure telnet is removed' + ansible.builtin.package: name: telnet state: absent tags: @@ -26546,8 +27515,8 @@ - no_reboot_needed | bool - package_telnet_removed | bool -- name: Ensure tftp-server is removed - package: +- name: 'Uninstall tftp-server Package: Ensure tftp-server is removed' + ansible.builtin.package: name: tftp-server state: absent tags: @@ -26573,8 +27542,8 @@ - no_reboot_needed | bool - package_tftp_server_removed | bool -- name: Ensure tftp is removed - package: +- name: 'Remove tftp Daemon: Ensure tftp is removed' + ansible.builtin.package: name: tftp state: absent tags: @@ -26723,8 +27692,8 @@ - service_cups_disabled - unknown_severity -- name: Ensure squid is removed - package: +- name: 'Uninstall squid Package: Ensure squid is removed' + ansible.builtin.package: name: squid state: absent tags: @@ -26743,8 +27712,8 @@ - package_squid_removed | bool - unknown_severity | bool -- name: Ensure samba is removed - package: +- name: 'Uninstall Samba Package: Ensure samba is removed' + ansible.builtin.package: name: samba state: absent tags: @@ -26763,8 +27732,8 @@ - package_samba_removed | bool - unknown_severity | bool -- name: Ensure net-snmp is removed - package: +- name: 'Uninstall net-snmp Package: Ensure net-snmp is removed' + ansible.builtin.package: name: net-snmp state: absent tags: @@ -26809,6 +27778,31 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupowner_sshd_config_newgroup variable if represented by gid + set_fact: + file_groupowner_sshd_config_newgroup: '0' + when: + - DISA_STIG_RHEL_09_255105 | bool + - configure_strategy | bool + - file_groupowner_sshd_config | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-90817-8 + - DISA-STIG-RHEL-09-255105 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_groupowner_sshd_config + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -26835,10 +27829,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /etc/ssh/sshd_config +- name: Ensure group owner on /etc/ssh/sshd_config file: path: /etc/ssh/sshd_config - group: '0' + group: '{{ file_groupowner_sshd_config_newgroup }}' when: - DISA_STIG_RHEL_09_255105 | bool - configure_strategy | bool @@ -26881,8 +27875,52 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Check that the ssh_keys group is defined + getent: + database: group + key: ssh_keys + ignore_errors: true + when: + - configure_strategy | bool + - file_groupownership_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + - file_groupownership_sshd_private_key_newgroup is undefined + tags: + - CCE-86127-8 + - configure_strategy + - file_groupownership_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set the file_groupownership_sshd_private_key_newgroup variable if ssh_keys found + set_fact: + file_groupownership_sshd_private_key_newgroup: ssh_keys + when: + - configure_strategy | bool + - file_groupownership_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + - ansible_facts.getent_group["ssh_keys"] is defined + tags: + - CCE-86127-8 + - configure_strategy + - file_groupownership_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/ssh/ file(s) matching ^.*_key$ - command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended -regex "^.*_key$" + command: find -L /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended -regex "^.*_key$" register: files_found changed_when: false failed_when: false @@ -26907,7 +27945,7 @@ - name: Ensure group owner on /etc/ssh/ file(s) matching ^.*_key$ file: path: '{{ item }}' - group: ssh_keys + group: '{{ file_groupownership_sshd_private_key_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -26947,8 +27985,28 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupownership_sshd_pub_key_newgroup variable if represented by gid + set_fact: + file_groupownership_sshd_pub_key_newgroup: '0' + when: + - configure_strategy | bool + - file_groupownership_sshd_pub_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86136-9 + - configure_strategy + - file_groupownership_sshd_pub_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ - command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.pub$" + command: find -L /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false @@ -26973,7 +28031,7 @@ - name: Ensure group owner on /etc/ssh/ file(s) matching ^.*\.pub$ file: path: '{{ item }}' - group: '0' + group: '{{ file_groupownership_sshd_pub_key_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -27018,6 +28076,31 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_owner_sshd_config_newown variable if represented by uid + set_fact: + file_owner_sshd_config_newown: '0' + when: + - DISA_STIG_RHEL_09_255110 | bool + - configure_strategy | bool + - file_owner_sshd_config | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-90821-0 + - DISA-STIG-RHEL-09-255110 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_owner_sshd_config + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /etc/ssh/sshd_config stat: path: /etc/ssh/sshd_config @@ -27044,10 +28127,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /etc/ssh/sshd_config +- name: Ensure owner on /etc/ssh/sshd_config file: path: /etc/ssh/sshd_config - owner: '0' + owner: '{{ file_owner_sshd_config_newown }}' when: - DISA_STIG_RHEL_09_255110 | bool - configure_strategy | bool @@ -27090,8 +28173,28 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_ownership_sshd_private_key_newown variable if represented by uid + set_fact: + file_ownership_sshd_private_key_newown: '0' + when: + - configure_strategy | bool + - file_ownership_sshd_private_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86119-5 + - configure_strategy + - file_ownership_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/ssh/ file(s) matching ^.*_key$ - command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex "^.*_key$" + command: find -L /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*_key$" register: files_found changed_when: false failed_when: false @@ -27116,7 +28219,7 @@ - name: Ensure owner on /etc/ssh/ file(s) matching ^.*_key$ file: path: '{{ item }}' - owner: '0' + owner: '{{ file_ownership_sshd_private_key_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -27156,8 +28259,28 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_ownership_sshd_pub_key_newown variable if represented by uid + set_fact: + file_ownership_sshd_pub_key_newown: '0' + when: + - configure_strategy | bool + - file_ownership_sshd_pub_key | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86130-2 + - configure_strategy + - file_ownership_sshd_pub_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ - command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex "^.*\.pub$" + command: find -L /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false @@ -27182,7 +28305,7 @@ - name: Ensure owner on /etc/ssh/ file(s) matching ^.*\.pub$ file: path: '{{ item }}' - owner: '0' + owner: '{{ file_ownership_sshd_pub_key_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -27479,7 +28602,7 @@ - no_reboot_needed | bool - name: Find /etc/ssh/ file(s) - command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex "^.*\.pub$" + command: find -L /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false @@ -29383,7 +30506,6 @@ manager: auto tags: - CCE-86769-7 - - DISA-STIG-RHEL-09-255070 - NIST-800-53-AC-17 (2) - low_complexity - low_disruption @@ -29392,7 +30514,6 @@ - restrict_strategy - sshd_use_strong_macs when: - - DISA_STIG_RHEL_09_255070 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -29428,7 +30549,6 @@ insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - - DISA_STIG_RHEL_09_255070 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -29438,7 +30558,6 @@ - '"kernel" in ansible_facts.packages' tags: - CCE-86769-7 - - DISA-STIG-RHEL-09-255070 - NIST-800-53-AC-17 (2) - low_complexity - low_disruption @@ -29447,8 +30566,8 @@ - restrict_strategy - sshd_use_strong_macs -- name: Ensure xorg-x11-server-common is removed - package: +- name: 'Remove the X Windows Package Group: Ensure xorg-x11-server-common is removed' + ansible.builtin.package: name: xorg-x11-server-common state: absent tags: @@ -30000,7 +31119,8 @@ - reboot_required | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists + in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ @@ -30032,7 +31152,8 @@ - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy +- name: Record Events that Modify the System's Mandatory Access Controls - Search /etc/audit/rules.d for other rules with + specified key MAC-policy find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)MAC-policy$ @@ -30065,7 +31186,8 @@ - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule +- name: Record Events that Modify the System's Mandatory Access Controls - Use /etc/audit/rules.d/MAC-policy.rules as the + recipient for the rule set_fact: all_files: - /etc/audit/rules.d/MAC-policy.rules @@ -30097,7 +31219,7 @@ - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Mandatory Access Controls - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -30129,7 +31251,7 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/selinux/ -p wa -k MAC-policy @@ -30162,7 +31284,8 @@ - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists + in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ @@ -30194,7 +31317,7 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules +- name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/audit.rules lineinfile: line: -w /etc/selinux/ -p wa -k MAC-policy state: present @@ -30242,17 +31365,18 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/ + already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+ @@ -30263,7 +31387,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -30278,10 +31402,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy +- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Search /etc/audit/rules.d for other + rules with specified key MAC-policy find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)MAC-policy$ @@ -30292,7 +31417,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -30308,10 +31433,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule +- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use /etc/audit/rules.d/MAC-policy.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/MAC-policy.rules @@ -30320,7 +31446,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -30337,10 +31463,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use matched file as the recipient + for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -30349,7 +31476,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -30366,10 +31493,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /usr/share/selinux/ in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/ + in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /usr/share/selinux/ -p wa -k MAC-policy @@ -30380,7 +31508,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -30396,10 +31524,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/ + already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+ @@ -30410,7 +31539,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -30425,10 +31554,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /usr/share/selinux/ in /etc/audit/audit.rules +- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/ + in /etc/audit/audit.rules lineinfile: line: -w /usr/share/selinux/ -p wa -k MAC-policy state: present @@ -30440,7 +31570,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -30456,7 +31586,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -30551,8 +31681,8 @@ - name: Get path with most syscalls set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules + set_fact: audit_file="/etc/audit/rules.d/export.rules" when: found_paths | length == 0 - name: Declare found syscalls set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" @@ -30571,7 +31701,7 @@ - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present @@ -30607,7 +31737,7 @@ - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present @@ -30670,8 +31800,8 @@ - name: Get path with most syscalls set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules - set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" + - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules + set_fact: audit_file="/etc/audit/rules.d/export.rules" when: found_paths | length == 0 - name: Declare found syscalls set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" @@ -30690,7 +31820,7 @@ - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present @@ -30726,7 +31856,7 @@ - name: Add the audit rule to {{ audit_file }} lineinfile: path: '{{ audit_file }}' - line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present @@ -31069,7 +32199,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in + /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ @@ -31102,7 +32233,8 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification +- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified + key audit_rules_networkconfig_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ @@ -31136,7 +32268,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules @@ -31169,7 +32302,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -31202,7 +32335,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification @@ -31236,7 +32369,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in + /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ @@ -31269,7 +32403,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/audit.rules lineinfile: line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification state: present @@ -31304,7 +32438,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists + in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ @@ -31337,7 +32472,8 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification +- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified + key audit_rules_networkconfig_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ @@ -31371,7 +32507,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules @@ -31404,7 +32541,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -31437,7 +32574,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification @@ -31471,7 +32608,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists + in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ @@ -31504,7 +32642,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/audit.rules lineinfile: line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification state: present @@ -31539,7 +32677,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in + /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ @@ -31572,7 +32711,8 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification +- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified + key audit_rules_networkconfig_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ @@ -31606,7 +32746,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules @@ -31639,7 +32780,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -31672,7 +32813,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification @@ -31706,7 +32847,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in + /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ @@ -31739,7 +32881,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/audit.rules lineinfile: line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification state: present @@ -31774,7 +32916,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already + exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ @@ -31807,7 +32950,8 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification +- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified + key audit_rules_networkconfig_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ @@ -31841,7 +32985,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules @@ -31874,7 +33019,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -31907,7 +33052,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification @@ -31941,7 +33086,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already + exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ @@ -31974,7 +33120,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules lineinfile: line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification state: present @@ -32028,7 +33174,8 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network-scripts + already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ @@ -32052,7 +33199,8 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification_network_scripts +- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified + key audit_rules_networkconfig_modification_network_scripts find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_network_scripts$ @@ -32077,7 +33225,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules @@ -32101,7 +33250,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -32125,7 +33274,8 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/rules.d/ +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network-scripts in + /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts @@ -32150,7 +33300,8 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network-scripts + already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ @@ -32174,7 +33325,8 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/audit.rules +- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network-scripts in + /etc/audit/audit.rules lineinfile: line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts state: present @@ -32204,466 +33356,208 @@ package_facts: manager: auto tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d - when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Search /etc/audit/rules.d for other rules with specified key session - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)session$ - patterns: '*.rules' - register: find_watch_key - when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/session.rules - when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' - when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /var/run/utmp -p wa -k session - create: true - mode: '0600' - when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules - when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules - lineinfile: - line: -w /var/run/utmp -p wa -k session - state: present - dest: /etc/audit/audit.rules - create: true - mode: '0600' - when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - '"kernel" in ansible_facts.packages' - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - PCI-DSSv4-10.2 - - PCI-DSSv4-10.2.1 - - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ +- name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already + exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key session +- name: Record Attempts to Alter Process and Session Initiation Information btmp - Search /etc/audit/rules.d for other rules + with specified key session find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' register: find_watch_key when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule +- name: Record Attempts to Alter Process and Session Initiation Information btmp - Use /etc/audit/rules.d/session.rules as + the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/session.rules when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Attempts to Alter Process and Session Initiation Information btmp - Use matched file as the recipient for the + rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/ +- name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/btmp -p wa -k session create: true mode: '0600' when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules +- name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already + exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules +- name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/audit.rules lineinfile: line: -w /var/log/btmp -p wa -k session state: present @@ -32671,234 +33565,471 @@ create: true mode: '0600' when: - - audit_rules_session_events | bool + - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86198-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86202-9 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_utmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - audit_rules_session_events | bool + - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already + exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_rules_session_events_utmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86202-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key session +- name: Record Attempts to Alter Process and Session Initiation Information utmp - Search /etc/audit/rules.d for other rules + with specified key session find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' register: find_watch_key when: - - audit_rules_session_events | bool + - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86202-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule +- name: Record Attempts to Alter Process and Session Initiation Information utmp - Use /etc/audit/rules.d/session.rules as + the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/session.rules when: - - audit_rules_session_events | bool + - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86202-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Attempts to Alter Process and Session Initiation Information utmp - Use matched file as the recipient for the + rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_session_events | bool + - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86202-9 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ +- name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/run/utmp -p wa -k session + create: true + mode: '0600' + when: + - audit_rules_session_events_utmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86202-9 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_utmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already + exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_session_events_utmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86202-9 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_utmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/audit.rules + lineinfile: + line: -w /var/run/utmp -p wa -k session + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0600' + when: + - audit_rules_session_events_utmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-86202-9 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_utmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86203-7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_wtmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - audit_rules_session_events_wtmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already + exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_rules_session_events_wtmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86203-7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_wtmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Search /etc/audit/rules.d for other rules + with specified key session + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)session$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_session_events_wtmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86203-7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_wtmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use /etc/audit/rules.d/session.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/session.rules + when: + - audit_rules_session_events_wtmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86203-7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_wtmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use matched file as the recipient for the + rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_session_events_wtmp | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-86203-7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-12.1(iv) + - PCI-DSSv4-10.2 + - PCI-DSSv4-10.2.1 + - PCI-DSSv4-10.2.1.3 + - audit_rules_session_events_wtmp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/wtmp -p wa -k session create: true mode: '0600' when: - - audit_rules_session_events | bool + - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86203-7 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules +- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already + exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - - audit_rules_session_events | bool + - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86203-7 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules +- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/audit.rules lineinfile: line: -w /var/log/wtmp -p wa -k session state: present @@ -32906,31 +34037,27 @@ create: true mode: '0600' when: - - audit_rules_session_events | bool + - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-83713-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - CCE-86203-7 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 + - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - - audit_rules_session_events + - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -33129,7 +34256,7 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules +- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ @@ -33165,7 +34292,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules +- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/audit.rules lineinfile: line: -w /etc/sudoers -p wa -k actions state: present @@ -33203,7 +34330,7 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ +- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ @@ -33239,7 +34366,8 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key actions +- name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key + actions find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)actions$ @@ -33276,7 +34404,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule +- name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the + rule set_fact: all_files: - /etc/audit/rules.d/actions.rules @@ -33312,7 +34441,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -33348,7 +34477,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sudoers in /etc/audit/rules.d/ +- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sudoers -p wa -k actions @@ -33385,7 +34514,7 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules +- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ @@ -33421,7 +34550,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules +- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules lineinfile: line: -w /etc/sudoers.d/ -p wa -k actions state: present @@ -33459,7 +34588,7 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/ +- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ @@ -33495,7 +34624,8 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key actions +- name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key + actions find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)actions$ @@ -33532,7 +34662,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule +- name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the + rule set_fact: all_files: - /etc/audit/rules.d/actions.rules @@ -33568,7 +34699,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -33604,7 +34735,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/ +- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sudoers.d/ -p wa -k actions @@ -33662,7 +34793,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_654225 | bool @@ -33670,10 +34801,11 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/group already exists in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists + in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+ @@ -33685,7 +34817,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -33707,10 +34839,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification +- name: Record Events that Modify User/Group Information - /etc/group - Search /etc/audit/rules.d for other rules with specified + key audit_rules_usergroup_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ @@ -33722,7 +34855,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -33745,10 +34878,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/group - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules @@ -33758,7 +34892,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -33782,10 +34916,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/group - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -33795,7 +34929,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -33819,10 +34953,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/group in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/group -p wa -k audit_rules_usergroup_modification @@ -33834,7 +34968,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -33857,10 +34991,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/group already exists in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists + in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+ @@ -33872,7 +35007,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -33894,10 +35029,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/group in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/audit.rules lineinfile: line: -w /etc/group -p wa -k audit_rules_usergroup_modification state: present @@ -33910,7 +35045,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -33933,7 +35068,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -33957,7 +35092,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_654230 | bool @@ -33965,10 +35100,11 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/gshadow already exists in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists + in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+ @@ -33980,7 +35116,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34002,10 +35138,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification +- name: Record Events that Modify User/Group Information - /etc/gshadow - Search /etc/audit/rules.d for other rules with specified + key audit_rules_usergroup_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ @@ -34017,7 +35154,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34040,10 +35177,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/gshadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules @@ -34053,7 +35191,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34077,10 +35215,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/gshadow - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -34090,7 +35228,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34114,10 +35252,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/gshadow in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification @@ -34129,7 +35267,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34152,10 +35290,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/gshadow already exists in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists + in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+ @@ -34167,7 +35306,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34189,10 +35328,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/gshadow in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/audit.rules lineinfile: line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification state: present @@ -34205,7 +35344,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34228,7 +35367,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -34252,7 +35391,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_654235 | bool @@ -34260,10 +35399,11 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/security/opasswd already exists in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd + already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+ @@ -34275,7 +35415,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34297,10 +35437,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification +- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Search /etc/audit/rules.d for other rules + with specified key audit_rules_usergroup_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ @@ -34312,7 +35453,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34335,10 +35476,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules @@ -34348,7 +35490,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34372,10 +35514,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use matched file as the recipient for the + rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -34385,7 +35528,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34409,10 +35552,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/security/opasswd in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd + in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification @@ -34424,7 +35568,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34447,10 +35591,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/security/opasswd already exists in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd + already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+ @@ -34462,7 +35607,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34484,10 +35629,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/security/opasswd in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd + in /etc/audit/audit.rules lineinfile: line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification state: present @@ -34500,7 +35646,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34523,7 +35669,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -34547,7 +35693,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_654240 | bool @@ -34555,10 +35701,11 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/passwd already exists in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists + in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+ @@ -34570,7 +35717,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34592,13 +35739,14 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification +- name: Record Events that Modify User/Group Information - /etc/passwd - Search /etc/audit/rules.d for other rules with specified + key audit_rules_usergroup_modification_passwd find: paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ + contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification_passwd$ patterns: '*.rules' register: find_watch_key when: @@ -34607,7 +35755,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34630,20 +35778,21 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/passwd - Use /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules + as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/audit_rules_usergroup_modification.rules + - /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34667,10 +35816,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/passwd - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -34680,7 +35829,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34704,13 +35853,13 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/passwd in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification + line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd create: true mode: '0600' when: @@ -34719,7 +35868,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34742,10 +35891,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/passwd already exists in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists + in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+ @@ -34757,7 +35907,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34779,12 +35929,12 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/passwd in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/audit.rules lineinfile: - line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification + line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd state: present dest: /etc/audit/audit.rules create: true @@ -34795,7 +35945,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34818,7 +35968,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -34842,7 +35992,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_654245 | bool @@ -34850,10 +36000,11 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/shadow already exists in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists + in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+ @@ -34865,7 +36016,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34887,10 +36038,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification +- name: Record Events that Modify User/Group Information - /etc/shadow - Search /etc/audit/rules.d for other rules with specified + key audit_rules_usergroup_modification find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ @@ -34902,7 +36054,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34925,10 +36077,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/shadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules + as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules @@ -34938,7 +36091,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34962,10 +36115,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Events that Modify User/Group Information - /etc/shadow - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -34975,7 +36128,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -34999,10 +36152,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/shadow in /etc/audit/rules.d/ +- name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification @@ -35014,7 +36167,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35037,10 +36190,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/shadow already exists in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists + in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+ @@ -35052,7 +36206,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35074,10 +36228,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/shadow in /etc/audit/audit.rules +- name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/audit.rules lineinfile: line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification state: present @@ -35090,7 +36244,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35113,7 +36267,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -35130,17 +36284,17 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /var/log/sudo.log already exists in /etc/audit/rules.d/ +- name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ @@ -35151,7 +36305,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35166,13 +36320,13 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key logins +- name: Record Attempts to perform maintenance activities - Search /etc/audit/rules.d for other rules with specified key maintenance find: paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)logins$ + contains: ^.*(?:-F key=|-k\s+)maintenance$ patterns: '*.rules' register: find_watch_key when: @@ -35180,7 +36334,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35196,19 +36350,20 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule +- name: Record Attempts to perform maintenance activities - Use /etc/audit/rules.d/maintenance.rules as the recipient for + the rule set_fact: all_files: - - /etc/audit/rules.d/logins.rules + - /etc/audit/rules.d/maintenance.rules when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35225,10 +36380,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Attempts to perform maintenance activities - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -35237,7 +36392,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35254,13 +36409,13 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/sudo.log in /etc/audit/rules.d/ +- name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /var/log/sudo.log -p wa -k logins + line: -w /var/log/sudo.log -p wa -k maintenance create: true mode: '0600' when: @@ -35268,7 +36423,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35284,10 +36439,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /var/log/sudo.log already exists in /etc/audit/audit.rules +- name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ @@ -35298,7 +36453,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35313,12 +36468,12 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/sudo.log in /etc/audit/audit.rules +- name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/audit.rules lineinfile: - line: -w /var/log/sudo.log -p wa -k logins + line: -w /var/log/sudo.log -p wa -k maintenance state: present dest: /etc/audit/audit.rules create: true @@ -35328,7 +36483,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -35344,7 +36499,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -35368,8 +36523,31 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupownership_audit_configuration_newgroup variable if represented by gid + set_fact: + file_groupownership_audit_configuration_newgroup: '0' + when: + - DISA_STIG_RHEL_09_232104 | bool + - configure_strategy | bool + - file_groupownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86446-2 + - DISA-STIG-RHEL-09-232104 + - configure_strategy + - file_groupownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ - command: find -H /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" + command: find -L /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false @@ -35397,7 +36575,7 @@ - name: Ensure group owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ file: path: '{{ item }}' - group: '0' + group: '{{ file_groupownership_audit_configuration_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -35422,7 +36600,7 @@ - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ - command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.rules$" + command: find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false @@ -35450,7 +36628,7 @@ - name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ file: path: '{{ item }}' - group: '0' + group: '{{ file_groupownership_audit_configuration_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -35495,8 +36673,31 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_ownership_audit_configuration_newown variable if represented by uid + set_fact: + file_ownership_audit_configuration_newown: '0' + when: + - DISA_STIG_RHEL_09_232103 | bool + - configure_strategy | bool + - file_ownership_audit_configuration | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"audit" in ansible_facts.packages' + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86445-4 + - DISA-STIG-RHEL-09-232103 + - configure_strategy + - file_ownership_audit_configuration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ - command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" + command: find -L /etc/audit/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false @@ -35524,7 +36725,7 @@ - name: Ensure owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ file: path: '{{ item }}' - owner: '0' + owner: '{{ file_ownership_audit_configuration_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -35549,7 +36750,7 @@ - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ - command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex "^.*\.rules$" + command: find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false @@ -35577,7 +36778,7 @@ - name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ file: path: '{{ item }}' - owner: '0' + owner: '{{ file_ownership_audit_configuration_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' @@ -35624,7 +36825,7 @@ - no_reboot_needed | bool - name: Find /etc/audit/ file(s) - command: find -H /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" + command: find -L /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false @@ -35679,7 +36880,7 @@ - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) - command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*\.rules$" + command: find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false @@ -41322,7 +42523,7 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Perform remediation of Audit rules for /usr/bin/chacl +- name: Record Any Attempts to Run chacl - Perform remediation of Audit rules for /usr/bin/chacl block: - name: Declare list of syscalls set_fact: @@ -41454,7 +42655,7 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Perform remediation of Audit rules for /usr/bin/setfacl +- name: Record Any Attempts to Run setfacl - Perform remediation of Audit rules for /usr/bin/setfacl block: - name: Declare list of syscalls set_fact: @@ -41591,7 +42792,7 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Perform remediation of Audit rules for /usr/bin/chcon +- name: Record Any Attempts to Run chcon - Perform remediation of Audit rules for /usr/bin/chcon block: - name: Declare list of syscalls set_fact: @@ -41781,6 +42982,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of rename in /etc/audit/rules.d/ find: @@ -41839,6 +43041,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of rename in /etc/audit/audit.rules find: @@ -41911,6 +43114,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of rename in /etc/audit/rules.d/ find: @@ -41969,6 +43173,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of rename in /etc/audit/audit.rules find: @@ -42104,6 +43309,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/rules.d/ find: @@ -42162,6 +43368,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/audit.rules find: @@ -42233,6 +43440,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/rules.d/ find: @@ -42291,6 +43499,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/audit.rules find: @@ -42426,6 +43635,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/rules.d/ find: @@ -42484,6 +43694,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/audit.rules find: @@ -42556,6 +43767,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/rules.d/ find: @@ -42614,6 +43826,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/audit.rules find: @@ -42749,6 +43962,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/rules.d/ find: @@ -42807,6 +44021,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/audit.rules find: @@ -42878,6 +44093,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/rules.d/ find: @@ -42936,6 +44152,7 @@ - unlinkat - rename - renameat + - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/audit.rules find: @@ -47377,7 +48594,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_654250 | bool @@ -47385,10 +48602,11 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/rules.d/ +- name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir + }} already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ @@ -47400,7 +48618,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47420,10 +48638,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key logins +- name: Record Attempts to Alter Logon and Logout Events - faillock - Search /etc/audit/rules.d for other rules with specified + key logins find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)logins$ @@ -47435,7 +48654,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47456,10 +48675,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule +- name: Record Attempts to Alter Logon and Logout Events - faillock - Use /etc/audit/rules.d/logins.rules as the recipient + for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules @@ -47469,7 +48689,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47491,10 +48711,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Attempts to Alter Logon and Logout Events - faillock - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -47504,7 +48724,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47526,10 +48746,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/rules.d/ +- name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir + }} in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins @@ -47541,7 +48762,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47562,10 +48783,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/audit.rules +- name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir + }} already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ @@ -47577,7 +48799,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47597,10 +48819,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/audit.rules +- name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir + }} in /etc/audit/audit.rules lineinfile: line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins state: present @@ -47613,7 +48836,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47634,7 +48857,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -47656,7 +48879,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_654255 | bool @@ -47664,10 +48887,11 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /var/log/lastlog already exists in /etc/audit/rules.d/ +- name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists + in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+ @@ -47679,7 +48903,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47699,10 +48923,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key logins +- name: Record Attempts to Alter Logon and Logout Events - lastlog - Search /etc/audit/rules.d for other rules with specified + key logins find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)logins$ @@ -47714,7 +48939,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47735,10 +48960,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule +- name: Record Attempts to Alter Logon and Logout Events - lastlog - Use /etc/audit/rules.d/logins.rules as the recipient + for the rule set_fact: all_files: - /etc/audit/rules.d/logins.rules @@ -47748,7 +48974,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47770,10 +48996,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Attempts to Alter Logon and Logout Events - lastlog - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -47783,7 +49009,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47805,10 +49031,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/lastlog in /etc/audit/rules.d/ +- name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/lastlog -p wa -k logins @@ -47820,7 +49046,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47841,10 +49067,11 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /var/log/lastlog already exists in /etc/audit/audit.rules +- name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists + in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+ @@ -47856,7 +49083,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47876,10 +49103,10 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/lastlog in /etc/audit/audit.rules +- name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/audit.rules lineinfile: line: -w /var/log/lastlog -p wa -k logins state: present @@ -47892,7 +49119,7 @@ - low_complexity | bool - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel" in ansible_facts.packages' @@ -47913,7 +49140,7 @@ - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Gather the package facts @@ -48134,7 +49361,8 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Perform remediation of Audit rules for /usr/bin/kmod +- name: Ensure auditd Collects Information on the Use of Privileged Commands - kmod - Perform remediation of Audit rules for + /usr/bin/kmod block: - name: Declare list of syscalls set_fact: @@ -48272,7 +49500,8 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Perform remediation of Audit rules for /usr/sbin/usermod +- name: Ensure auditd Collects Information on the Use of Privileged Commands - usermod - Perform remediation of Audit rules + for /usr/sbin/usermod block: - name: Declare list of syscalls set_fact: @@ -49325,7 +50554,7 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ +- name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ @@ -49358,7 +50587,7 @@ - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules +- name: Record Attempts to Alter the localtime File - Search /etc/audit/rules.d for other rules with specified key audit_time_rules find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ @@ -49392,7 +50621,8 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule +- name: Record Attempts to Alter the localtime File - Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the + rule set_fact: all_files: - /etc/audit/rules.d/audit_time_rules.rules @@ -49425,7 +50655,7 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Record Attempts to Alter the localtime File - Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' @@ -49458,7 +50688,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ +- name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' line: -w /etc/localtime -p wa -k audit_time_rules @@ -49492,7 +50722,7 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules +- name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ @@ -49525,7 +50755,7 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules +- name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/audit.rules lineinfile: line: -w /etc/localtime -p wa -k audit_time_rules state: present @@ -49994,6 +51224,26 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_groupownership_audit_binaries_newgroup variable if represented by gid + set_fact: + file_groupownership_audit_binaries_newgroup: '0' + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -50015,10 +51265,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /sbin/auditctl +- name: Ensure group owner on /sbin/auditctl file: path: /sbin/auditctl - group: '0' + group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool @@ -50058,10 +51308,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /sbin/aureport +- name: Ensure group owner on /sbin/aureport file: path: /sbin/aureport - group: '0' + group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool @@ -50101,10 +51351,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /sbin/ausearch +- name: Ensure group owner on /sbin/ausearch file: path: /sbin/ausearch - group: '0' + group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool @@ -50144,10 +51394,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /sbin/autrace +- name: Ensure group owner on /sbin/autrace file: path: /sbin/autrace - group: '0' + group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool @@ -50187,10 +51437,10 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /sbin/auditd +- name: Ensure group owner on /sbin/auditd file: path: /sbin/auditd - group: '0' + group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool @@ -50230,10 +51480,53 @@ - medium_severity - no_reboot_needed -- name: Ensure group owner 0 on /sbin/augenrules +- name: Ensure group owner on /sbin/augenrules file: path: /sbin/augenrules - group: '0' + group: '{{ file_groupownership_audit_binaries_newgroup }}' + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/audisp-syslog + stat: + path: /sbin/audisp-syslog + register: file_exists + when: + - configure_strategy | bool + - file_groupownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86457-9 + - configure_strategy + - file_groupownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner on /sbin/audisp-syslog + file: + path: /sbin/audisp-syslog + group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool @@ -50271,6 +51564,26 @@ - medium_severity | bool - no_reboot_needed | bool +- name: Set the file_ownership_audit_binaries_newown variable if represented by uid + set_fact: + file_ownership_audit_binaries_newown: '0' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - name: Test for existence /sbin/auditctl stat: path: /sbin/auditctl @@ -50292,10 +51605,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /sbin/auditctl +- name: Ensure owner on /sbin/auditctl file: path: /sbin/auditctl - owner: '0' + owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool @@ -50335,10 +51648,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /sbin/aureport +- name: Ensure owner on /sbin/aureport file: path: /sbin/aureport - owner: '0' + owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool @@ -50378,10 +51691,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /sbin/ausearch +- name: Ensure owner on /sbin/ausearch file: path: /sbin/ausearch - owner: '0' + owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool @@ -50421,10 +51734,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /sbin/autrace +- name: Ensure owner on /sbin/autrace file: path: /sbin/autrace - owner: '0' + owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool @@ -50464,10 +51777,10 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /sbin/auditd +- name: Ensure owner on /sbin/auditd file: path: /sbin/auditd - owner: '0' + owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool @@ -50507,10 +51820,53 @@ - medium_severity - no_reboot_needed -- name: Ensure owner 0 on /sbin/augenrules +- name: Ensure owner on /sbin/augenrules file: path: /sbin/augenrules - owner: '0' + owner: '{{ file_ownership_audit_binaries_newown }}' + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Test for existence /sbin/audisp-syslog + stat: + path: /sbin/audisp-syslog + register: file_exists + when: + - configure_strategy | bool + - file_ownership_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86454-6 + - configure_strategy + - file_ownership_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner on /sbin/audisp-syslog + file: + path: /sbin/audisp-syslog + owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool @@ -50805,3 +52161,46 @@ - low_disruption - medium_severity - no_reboot_needed + +- name: Test for existence /sbin/audisp-syslog + stat: + path: /sbin/audisp-syslog + register: file_exists + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission u-s,g-ws,o-wt on /sbin/audisp-syslog + file: + path: /sbin/audisp-syslog + mode: u-s,g-ws,o-wt + when: + - configure_strategy | bool + - file_permissions_audit_binaries | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"kernel" in ansible_facts.packages' + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CCE-86448-8 + - configure_strategy + - file_permissions_audit_binaries + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed