Updated tasks/main.yml

LICENSE

@@ -0,0 +1,25 @@
+SPDX license identifier: BSD-3-Clause
+Copyright (c) 2012-2017, Red Hat, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the Red Hat nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

defaults/main.yml

@@ -7,6 +7,8 @@ var_sudo_logfile: /var/log/sudo.log
 var_sudo_timestamp_timeout: '5'
 var_authselect_profile: sssd
 login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+remote_login_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+motd_banner_text: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
 var_password_pam_remember: '5'
 var_password_pam_remember_control_flag: requisite,required
 var_accounts_passwords_pam_faillock_deny: '3'
@@ -19,8 +21,10 @@ var_account_disable_post_pw_expiration: '30'
 var_accounts_maximum_age_login_defs: '365'
 var_accounts_minimum_age_login_defs: '1'
 var_accounts_password_warn_age_login_defs: '7'
+var_pam_wheel_group_for_su: sugroup
 var_accounts_tmout: '900'
 var_accounts_user_umask: '027'
+var_accounts_passwords_pam_faillock_dir: /var/run/faillock
 var_auditd_action_mail_acct: root
 var_auditd_admin_space_left_action: halt
 var_auditd_max_log_file: '6'
@@ -46,6 +50,8 @@ sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
 sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1'
 sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
 sysctl_net_ipv4_tcp_syncookies_value: '1'
+var_nftables_family: inet
+var_nftables_table: firewalld
 var_selinux_policy_name: targeted
 var_selinux_state: enforcing
 var_postfix_inet_interfaces: loopback-only
@@ -56,15 +62,193 @@ var_sshd_set_login_grace_time: '60'
 sshd_max_auth_tries_value: '4'
 var_sshd_max_sessions: '10'
 var_sshd_set_maxstartups: 10:30:60
+DISA_STIG_RHEL_09_211020: true
+DISA_STIG_RHEL_09_211040: true
+DISA_STIG_RHEL_09_212025: true
+DISA_STIG_RHEL_09_212030: true
+DISA_STIG_RHEL_09_212055: true
+DISA_STIG_RHEL_09_213065: true
+DISA_STIG_RHEL_09_213070: true
+DISA_STIG_RHEL_09_213085: true
+DISA_STIG_RHEL_09_213090: true
+DISA_STIG_RHEL_09_214015: true
+DISA_STIG_RHEL_09_215015: true
+DISA_STIG_RHEL_09_215040: true
+DISA_STIG_RHEL_09_215060: true
+DISA_STIG_RHEL_09_231045: true
+DISA_STIG_RHEL_09_231050: true
+DISA_STIG_RHEL_09_231110: true
+DISA_STIG_RHEL_09_231115: true
+DISA_STIG_RHEL_09_231120: true
+DISA_STIG_RHEL_09_231125: true
+DISA_STIG_RHEL_09_231130: true
+DISA_STIG_RHEL_09_231135: true
+DISA_STIG_RHEL_09_231140: true
+DISA_STIG_RHEL_09_231145: true
+DISA_STIG_RHEL_09_231150: true
+DISA_STIG_RHEL_09_231155: true
+DISA_STIG_RHEL_09_231160: true
+DISA_STIG_RHEL_09_231165: true
+DISA_STIG_RHEL_09_231170: true
+DISA_STIG_RHEL_09_231175: true
+DISA_STIG_RHEL_09_231180: true
+DISA_STIG_RHEL_09_231185: true
+DISA_STIG_RHEL_09_232040: true
+DISA_STIG_RHEL_09_232050: true
+DISA_STIG_RHEL_09_232055: true
+DISA_STIG_RHEL_09_232060: true
+DISA_STIG_RHEL_09_232065: true
+DISA_STIG_RHEL_09_232070: true
+DISA_STIG_RHEL_09_232075: true
+DISA_STIG_RHEL_09_232080: true
+DISA_STIG_RHEL_09_232085: true
+DISA_STIG_RHEL_09_232090: true
+DISA_STIG_RHEL_09_232095: true
+DISA_STIG_RHEL_09_232100: true
+DISA_STIG_RHEL_09_232105: true
+DISA_STIG_RHEL_09_232110: true
+DISA_STIG_RHEL_09_232115: true
+DISA_STIG_RHEL_09_232120: true
+DISA_STIG_RHEL_09_232125: true
+DISA_STIG_RHEL_09_232130: true
+DISA_STIG_RHEL_09_232135: true
+DISA_STIG_RHEL_09_232140: true
+DISA_STIG_RHEL_09_232145: true
+DISA_STIG_RHEL_09_232150: true
+DISA_STIG_RHEL_09_232155: true
+DISA_STIG_RHEL_09_232160: true
+DISA_STIG_RHEL_09_232165: true
+DISA_STIG_RHEL_09_232230: true
+DISA_STIG_RHEL_09_232235: true
+DISA_STIG_RHEL_09_232245: true
+DISA_STIG_RHEL_09_232265: true
+DISA_STIG_RHEL_09_232270: true
+DISA_STIG_RHEL_09_251015: true
+DISA_STIG_RHEL_09_253010: true
+DISA_STIG_RHEL_09_253015: true
+DISA_STIG_RHEL_09_253020: true
+DISA_STIG_RHEL_09_253025: true
+DISA_STIG_RHEL_09_253030: true
+DISA_STIG_RHEL_09_253035: true
+DISA_STIG_RHEL_09_253040: true
+DISA_STIG_RHEL_09_253045: true
+DISA_STIG_RHEL_09_253050: true
+DISA_STIG_RHEL_09_253055: true
+DISA_STIG_RHEL_09_253060: true
+DISA_STIG_RHEL_09_253065: true
+DISA_STIG_RHEL_09_253070: true
+DISA_STIG_RHEL_09_254010: true
+DISA_STIG_RHEL_09_254015: true
+DISA_STIG_RHEL_09_254020: true
+DISA_STIG_RHEL_09_254025: true
+DISA_STIG_RHEL_09_254030: true
+DISA_STIG_RHEL_09_254035: true
+DISA_STIG_RHEL_09_254040: true
+DISA_STIG_RHEL_09_255030: true
+DISA_STIG_RHEL_09_255040: true
+DISA_STIG_RHEL_09_255045: true
+DISA_STIG_RHEL_09_255050: true
+DISA_STIG_RHEL_09_255055: true
+DISA_STIG_RHEL_09_255080: true
+DISA_STIG_RHEL_09_255085: true
+DISA_STIG_RHEL_09_255095: true
+DISA_STIG_RHEL_09_255100: true
+DISA_STIG_RHEL_09_255105: true
+DISA_STIG_RHEL_09_255110: true
+DISA_STIG_RHEL_09_255115: true
+DISA_STIG_RHEL_09_255120: true
+DISA_STIG_RHEL_09_255125: true
+DISA_STIG_RHEL_09_255145: true
+DISA_STIG_RHEL_09_255155: true
+DISA_STIG_RHEL_09_271010: true
+DISA_STIG_RHEL_09_271015: true
+DISA_STIG_RHEL_09_271020: true
+DISA_STIG_RHEL_09_271025: true
+DISA_STIG_RHEL_09_271030: true
+DISA_STIG_RHEL_09_271035: true
+DISA_STIG_RHEL_09_271065: true
+DISA_STIG_RHEL_09_271070: true
+DISA_STIG_RHEL_09_271075: true
+DISA_STIG_RHEL_09_271080: true
+DISA_STIG_RHEL_09_271090: true
+DISA_STIG_RHEL_09_271115: true
+DISA_STIG_RHEL_09_291010: true
+DISA_STIG_RHEL_09_291040: true
+DISA_STIG_RHEL_09_411010: true
+DISA_STIG_RHEL_09_411015: true
+DISA_STIG_RHEL_09_411035: true
+DISA_STIG_RHEL_09_411050: true
+DISA_STIG_RHEL_09_411065: true
+DISA_STIG_RHEL_09_411070: true
+DISA_STIG_RHEL_09_411075: true
+DISA_STIG_RHEL_09_411090: true
+DISA_STIG_RHEL_09_411100: true
+DISA_STIG_RHEL_09_412035: true
+DISA_STIG_RHEL_09_412055: true
+DISA_STIG_RHEL_09_412065: true
+DISA_STIG_RHEL_09_412070: true
+DISA_STIG_RHEL_09_431010: true
+DISA_STIG_RHEL_09_431015: true
+DISA_STIG_RHEL_09_432010: true
+DISA_STIG_RHEL_09_432015: true
+DISA_STIG_RHEL_09_611010: true
+DISA_STIG_RHEL_09_611015: true
+DISA_STIG_RHEL_09_611020: true
+DISA_STIG_RHEL_09_611025: true
+DISA_STIG_RHEL_09_611075: true
+DISA_STIG_RHEL_09_611080: true
+DISA_STIG_RHEL_09_611090: true
+DISA_STIG_RHEL_09_611130: true
+DISA_STIG_RHEL_09_611140: true
+DISA_STIG_RHEL_09_611155: true
+DISA_STIG_RHEL_09_651010: true
+DISA_STIG_RHEL_09_651015: true
+DISA_STIG_RHEL_09_651025: true
+DISA_STIG_RHEL_09_652010: true
+DISA_STIG_RHEL_09_652020: true
+DISA_STIG_RHEL_09_652025: true
+DISA_STIG_RHEL_09_653010: true
+DISA_STIG_RHEL_09_653015: true
+DISA_STIG_RHEL_09_653040: true
+DISA_STIG_RHEL_09_653050: true
+DISA_STIG_RHEL_09_653070: true
+DISA_STIG_RHEL_09_653090: true
+DISA_STIG_RHEL_09_653120: true
+DISA_STIG_RHEL_09_654015: true
+DISA_STIG_RHEL_09_654020: true
+DISA_STIG_RHEL_09_654025: true
+DISA_STIG_RHEL_09_654035: true
+DISA_STIG_RHEL_09_654040: true
+DISA_STIG_RHEL_09_654045: true
+DISA_STIG_RHEL_09_654065: true
+DISA_STIG_RHEL_09_654070: true
+DISA_STIG_RHEL_09_654075: true
+DISA_STIG_RHEL_09_654080: true
+DISA_STIG_RHEL_09_654105: true
+DISA_STIG_RHEL_09_654175: true
+DISA_STIG_RHEL_09_654225: true
+DISA_STIG_RHEL_09_654230: true
+DISA_STIG_RHEL_09_654235: true
+DISA_STIG_RHEL_09_654240: true
+DISA_STIG_RHEL_09_654245: true
+DISA_STIG_RHEL_09_654250: true
+DISA_STIG_RHEL_09_654255: true
+DISA_STIG_RHEL_09_654275: true
+DISA_STIG_RHEL_09_671010: true
+DISA_STIG_RHEL_09_671025: true
+DISA_STIG_RHEL_09_672030: true
+DISA_STIG_RHEL_09_672045: true
 account_disable_post_pw_expiration: true
 accounts_maximum_age_login_defs: true
 accounts_minimum_age_login_defs: true
+accounts_no_uid_except_zero: true
 accounts_password_pam_minclass: true
 accounts_password_pam_minlen: true
 accounts_password_pam_pwhistory_remember_password_auth: true
 accounts_password_pam_pwhistory_remember_system_auth: true
 accounts_password_pam_retry: true
 accounts_password_set_max_life_existing: true
+accounts_password_set_min_life_existing: true
 accounts_password_set_warn_age_existing: true
 accounts_password_warn_age_login_defs: true
 accounts_passwords_pam_faillock_deny: true
@@ -77,6 +261,7 @@ accounts_umask_etc_login_defs: true
 accounts_umask_etc_profile: true
 accounts_user_interactive_home_directory_exists: true
 aide_build_database: true
+aide_check_audit_tools: true
 aide_periodic_cron_checking: true
 audit_rules_dac_modification_chmod: true
 audit_rules_dac_modification_chown: true
@@ -99,17 +284,22 @@ audit_rules_file_deletion_events_renameat: true
 audit_rules_file_deletion_events_unlink: true
 audit_rules_file_deletion_events_unlinkat: true
 audit_rules_immutable: true
+audit_rules_kernel_module_loading_create: true
 audit_rules_kernel_module_loading_delete: true
+audit_rules_kernel_module_loading_finit: true
 audit_rules_kernel_module_loading_init: true
+audit_rules_kernel_module_loading_query: true
 audit_rules_login_events_faillock: true
 audit_rules_login_events_lastlog: true
 audit_rules_mac_modification: true
 audit_rules_mac_modification_usr_share: true
 audit_rules_media_export: true
 audit_rules_networkconfig_modification: true
+audit_rules_privileged_commands: true
+audit_rules_privileged_commands_kmod: true
 audit_rules_privileged_commands_usermod: true
 audit_rules_session_events: true
-audit_rules_suid_privilege_function: true
+audit_rules_suid_auid_privilege_function: true
 audit_rules_sysadmin_actions: true
 audit_rules_time_adjtimex: true
 audit_rules_time_clock_settime: true
@@ -141,6 +331,7 @@ configure_ssh_crypto_policy: true
 configure_strategy: true
 coredump_disable_backtraces: true
 coredump_disable_storage: true
+dconf_db_up_to_date: true
 dconf_gnome_banner_enabled: true
 dconf_gnome_disable_automount: true
 dconf_gnome_disable_automount_open: true
@@ -157,6 +348,7 @@ disable_strategy: true
 enable_authselect: true
 enable_strategy: true
 ensure_gpgcheck_globally_activated: true
+ensure_pam_wheel_group_empty: true
 file_at_deny_not_exist: true
 file_cron_deny_not_exist: true
 file_groupowner_at_allow: true
@@ -184,6 +376,8 @@ file_groupowner_user_cfg: true
 file_groupownership_audit_binaries: true
 file_groupownership_audit_configuration: true
 file_groupownership_home_directories: true
+file_groupownership_sshd_private_key: true
+file_groupownership_sshd_pub_key: true
 file_owner_backup_etc_group: true
 file_owner_backup_etc_gshadow: true
 file_owner_backup_etc_passwd: true
@@ -207,8 +401,11 @@ file_owner_sshd_config: true
 file_owner_user_cfg: true
 file_ownership_audit_binaries: true
 file_ownership_audit_configuration: true
+file_ownership_sshd_private_key: true
+file_ownership_sshd_pub_key: true
 file_permissions_at_allow: true
 file_permissions_audit_binaries: true
+file_permissions_audit_configuration: true
 file_permissions_backup_etc_group: true
 file_permissions_backup_etc_gshadow: true
 file_permissions_backup_etc_passwd: true
@@ -234,6 +431,8 @@ file_permissions_sshd_private_key: true
 file_permissions_sshd_pub_key: true
 file_permissions_user_cfg: true
 file_permissions_var_log_audit: true
+firewalld_loopback_traffic_restricted: true
+firewalld_loopback_traffic_trusted: true
 gnome_gdm_disable_xdmcp: true
 grub2_audit_argument: true
 grub2_audit_backlog_limit_argument: true
@@ -273,8 +472,10 @@ mount_option_var_tmp_noexec: true
 mount_option_var_tmp_nosuid: true
 no_empty_passwords: true
 no_empty_passwords_etc_shadow: true
+no_password_auth_for_systemaccounts: true
 no_reboot_needed: true
 no_rsh_trust_files: true
+no_shelllogin_for_systemaccounts: true
 package_aide_installed: true
 package_audit_installed: true
 package_avahi_removed: true
@@ -312,15 +513,19 @@ rsyslog_filecreatemode: true
 rsyslog_files_groupownership: true
 rsyslog_files_ownership: true
 rsyslog_files_permissions: true
+rsyslog_nolisten: true
+selinux_not_disabled: true
 selinux_policytype: true
 selinux_state: true
 service_auditd_enabled: true
 service_crond_enabled: true
 service_firewalld_enabled: true
 service_nfs_disabled: true
+service_nftables_disabled: true
 service_rpcbind_disabled: true
 service_rsyslog_enabled: true
 service_systemd_journald_enabled: true
+set_nftables_table: true
 set_password_hashing_algorithm_logindefs: true
 set_password_hashing_algorithm_passwordauth: true
 set_password_hashing_algorithm_systemauth: true
@@ -369,5 +574,5 @@ sysctl_net_ipv6_conf_default_accept_redirects: true
 sysctl_net_ipv6_conf_default_accept_source_route: true
 unknown_severity: true
 unknown_strategy: true
-use_pam_wheel_for_su: true
+use_pam_wheel_group_for_su: true
 wireless_disable_interfaces: true