- name: Gather the package facts ansible.builtin.package_facts: manager: auto tags: - always - name: Ensure aide is installed ansible.builtin.package: name: aide state: present when: - DISA_STIG_RHEL_09_651010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_aide_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90843-4 - CJIS-5.10.1.3 - DISA-STIG-RHEL-09-651010 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_aide_installed - name: Build and Test AIDE Database - Ensure AIDE Is Installed ansible.builtin.package: name: '{{ item }}' state: present with_items: - aide when: - DISA_STIG_RHEL_09_651010 | bool - aide_build_database | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83438-2 - CJIS-5.10.1.3 - DISA-STIG-RHEL-09-651010 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure aide is installed ansible.builtin.package: name: '{{ item }}' state: present with_items: - aide when: - DISA_STIG_RHEL_09_651025 | bool - aide_check_audit_tools | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure AIDE is installed ansible.builtin.package: name: aide state: present when: - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83437-4 - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Install cron ansible.builtin.package: name: cronie state: present when: - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83437-4 - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: 'Remove the GDM Package Group: Ensure gdm is removed' ansible.builtin.package: name: gdm state: absent when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_gdm_removed | bool - '"gdm" in ansible_facts.packages' tags: - CCE-83549-6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_gdm_removed - name: Ensure sudo is installed ansible.builtin.package: name: sudo state: present when: - DISA_STIG_RHEL_09_432010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_sudo_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83523-1 - DISA-STIG-RHEL-09-432010 - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_sudo_installed - name: Ensure libpwquality is installed ansible.builtin.package: name: libpwquality state: present when: - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_pam_pwquality_installed | bool - '"pam" in ansible_facts.packages' tags: - CCE-86226-8 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_pam_pwquality_installed - name: Ensure systemd-journal-remote is installed ansible.builtin.package: name: systemd-journal-remote state: present when: - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_systemd_journal_remote_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86760-6 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_systemd-journal-remote_installed - name: Ensure firewalld is installed ansible.builtin.package: name: firewalld state: present when: - DISA_STIG_RHEL_09_251010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_firewalld_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84021-5 - DISA-STIG-RHEL-09-251010 - NIST-800-53-CM-6(a) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.1 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_firewalld_installed - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Package is Installed ansible.builtin.package: name: '{{ item }}' state: present with_items: - firewalld when: - configure_strategy | bool - firewalld_loopback_traffic_restricted | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86137-7 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.1 - configure_strategy - firewalld_loopback_traffic_restricted - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is Installed ansible.builtin.package: name: '{{ item }}' state: present with_items: - firewalld when: - configure_strategy | bool - firewalld_loopback_traffic_trusted | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86116-1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.1 - configure_strategy - firewalld_loopback_traffic_trusted - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure nftables is installed ansible.builtin.package: name: nftables state: present when: - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_nftables_installed | bool - ( "kernel-core" in ansible_facts.packages ) tags: - CCE-86378-7 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.1 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_nftables_installed - name: Ensure NetworkManager is installed ansible.builtin.package: name: '{{ item }}' state: present with_items: - NetworkManager when: - DISA_STIG_RHEL_09_291040 | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - wireless_disable_interfaces | bool - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-84066-0 - DISA-STIG-RHEL-09-291040 - NIST-800-171-3.1.16 - NIST-800-53-AC-18(3) - NIST-800-53-AC-18(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - PCI-DSS-Req-1.3.3 - PCI-DSSv4-1.3 - PCI-DSSv4-1.3.3 - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - wireless_disable_interfaces - name: Ensure libselinux is installed ansible.builtin.package: name: libselinux state: present when: - enable_strategy | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_libselinux_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84069-4 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - enable_strategy - high_severity - low_complexity - low_disruption - no_reboot_needed - package_libselinux_installed - name: 'Uninstall mcstrans Package: Ensure mcstrans is removed' ansible.builtin.package: name: mcstrans state: absent when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_mcstrans_removed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84072-8 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_mcstrans_removed - name: 'Uninstall setroubleshoot Package: Ensure setroubleshoot is removed' ansible.builtin.package: name: setroubleshoot state: absent when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_setroubleshoot_removed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84073-6 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_setroubleshoot_removed - name: Ensure cronie is installed ansible.builtin.package: name: cronie state: present when: - DISA_STIG_RHEL_09_232040 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_cron_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86170-8 - DISA-STIG-RHEL-09-232040 - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_cron_installed - name: 'Uninstall DHCP Server Package: Ensure dhcp-server is removed' ansible.builtin.package: name: dhcp-server state: absent tags: - CCE-84240-1 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_dhcp_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_dhcp_removed | bool - name: 'Uninstall dnsmasq Package: Ensure dnsmasq is removed' ansible.builtin.package: name: dnsmasq state: absent tags: - CCE-86063-5 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_dnsmasq_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_dnsmasq_removed | bool - name: 'Uninstall bind Package: Ensure bind is removed' ansible.builtin.package: name: bind state: absent tags: - CCE-86505-5 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_bind_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_bind_removed | bool - name: 'Uninstall bind Package: Ensure bind9.18 is removed' ansible.builtin.package: name: bind9.18 state: absent tags: - CCE-86505-5 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_bind_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_bind_removed | bool - name: 'Remove ftp Package: Ensure ftp is removed' ansible.builtin.package: name: ftp state: absent tags: - CCE-86075-9 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_ftp_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_ftp_removed | bool - name: 'Uninstall vsftpd Package: Ensure vsftpd is removed' ansible.builtin.package: name: vsftpd state: absent tags: - CCE-84159-3 - DISA-STIG-RHEL-09-215015 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-CM-7.1(ii) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(1).1(v) - disable_strategy - high_severity - low_complexity - low_disruption - no_reboot_needed - package_vsftpd_removed when: - DISA_STIG_RHEL_09_215015 | bool - disable_strategy | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_vsftpd_removed | bool - name: 'Uninstall httpd Package: Ensure httpd is removed' ansible.builtin.package: name: httpd state: absent tags: - CCE-85974-4 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - no_reboot_needed - package_httpd_removed - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_httpd_removed | bool - unknown_severity | bool - name: 'Uninstall nginx Package: Ensure nginx is removed' ansible.builtin.package: name: nginx state: absent tags: - CCE-88035-1 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - no_reboot_needed - package_nginx_removed - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_nginx_removed | bool - unknown_severity | bool - name: 'Uninstall cyrus-imapd Package: Ensure cyrus-imapd is removed' ansible.builtin.package: name: cyrus-imapd state: absent tags: - CCE-88120-1 - disable_strategy - low_complexity - low_disruption - no_reboot_needed - package_cyrus-imapd_removed - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_cyrus_imapd_removed | bool - unknown_severity | bool - name: 'Uninstall dovecot Package: Ensure dovecot is removed' ansible.builtin.package: name: dovecot state: absent tags: - CCE-85977-7 - disable_strategy - low_complexity - low_disruption - no_reboot_needed - package_dovecot_removed - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_dovecot_removed | bool - unknown_severity | bool - name: 'Ensure LDAP client is not installed: Ensure openldap-clients is removed' ansible.builtin.package: name: openldap-clients state: absent tags: - CCE-90831-9 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_openldap-clients_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_openldap_clients_removed | bool - name: Ensure chrony is installed ansible.builtin.package: name: chrony state: present when: - DISA_STIG_RHEL_09_252010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_chrony_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84215-3 - DISA-STIG-RHEL-09-252010 - PCI-DSS-Req-10.4 - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.1 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_chrony_installed - name: 'Uninstall rsync Package: Ensure rsync-daemon is removed' ansible.builtin.package: name: rsync-daemon state: absent tags: - CCE-86336-5 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_rsync_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_rsync_removed | bool - name: 'Uninstall telnet-server Package: Ensure telnet-server is removed' ansible.builtin.package: name: telnet-server state: absent tags: - CCE-84149-4 - DISA-STIG-RHEL-09-215040 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.2 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - high_severity - low_complexity - low_disruption - no_reboot_needed - package_telnet-server_removed when: - DISA_STIG_RHEL_09_215040 | bool - disable_strategy | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_telnet_server_removed | bool - name: 'Remove telnet Clients: Ensure telnet is removed' ansible.builtin.package: name: telnet state: absent tags: - CCE-84146-0 - NIST-800-171-3.1.13 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_telnet_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_telnet_removed | bool - name: 'Uninstall tftp-server Package: Ensure tftp-server is removed' ansible.builtin.package: name: tftp-server state: absent tags: - CCE-84154-4 - DISA-STIG-RHEL-09-215060 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - high_severity - low_complexity - low_disruption - no_reboot_needed - package_tftp-server_removed when: - DISA_STIG_RHEL_09_215060 | bool - disable_strategy | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_tftp_server_removed | bool - name: 'Remove tftp Daemon: Ensure tftp is removed' ansible.builtin.package: name: tftp state: absent tags: - CCE-84153-6 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_tftp_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - package_tftp_removed | bool - name: 'Uninstall squid Package: Ensure squid is removed' ansible.builtin.package: name: squid state: absent tags: - CCE-84238-5 - disable_strategy - low_complexity - low_disruption - no_reboot_needed - package_squid_removed - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_squid_removed | bool - unknown_severity | bool - name: 'Uninstall Samba Package: Ensure samba is removed' ansible.builtin.package: name: samba state: absent tags: - CCE-85979-3 - disable_strategy - low_complexity - low_disruption - no_reboot_needed - package_samba_removed - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_samba_removed | bool - unknown_severity | bool - name: 'Uninstall net-snmp Package: Ensure net-snmp is removed' ansible.builtin.package: name: net-snmp state: absent tags: - CCE-85981-9 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption - no_reboot_needed - package_net-snmp_removed - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - package_net_snmp_removed | bool - unknown_severity | bool - name: 'Remove the X Windows Package Group: Ensure xorg-x11-server-common is removed' ansible.builtin.package: name: xorg-x11-server-common state: absent tags: - CCE-84104-9 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_xorg-x11-server-common_removed when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_xorg_x11_server_common_removed | bool - name: Ensure audit-libs is installed ansible.builtin.package: name: audit-libs state: present when: - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_audit_libs_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86772-1 - NIST-800-53-AC-7(a) - NIST-800-53-AU-12(2) - NIST-800-53-AU-14 - NIST-800-53-AU-2(a) - NIST-800-53-AU-7(1) - NIST-800-53-AU-7(2) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_audit-libs_installed - name: Ensure audit is installed ansible.builtin.package: name: audit state: present when: - DISA_STIG_RHEL_09_653010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - package_audit_installed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83649-4 - DISA-STIG-RHEL-09-653010 - NIST-800-53-AC-7(a) - NIST-800-53-AU-12(2) - NIST-800-53-AU-14 - NIST-800-53-AU-2(a) - NIST-800-53-AU-7(1) - NIST-800-53-AU-7(2) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.1 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_audit_installed - name: Gather the package facts ansible.builtin.package_facts: manager: auto tags: - always - name: Enable systemd-journald Service - Enable service systemd-journald block: - name: Enable systemd-journald Service - Enable Service systemd-journald ansible.builtin.systemd: name: systemd-journald enabled: true state: started masked: false when: - '"systemd" in ansible_facts.packages' tags: - CCE-85941-3 - DISA-STIG-RHEL-09-211040 - NIST-800-53-SC-24 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_systemd-journald_enabled - special_service_block when: - DISA_STIG_RHEL_09_211040 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_systemd_journald_enabled | bool - special_service_block | bool - '"kernel-core" in ansible_facts.packages' - name: Verify firewalld Enabled - Enable service firewalld block: - name: Verify firewalld Enabled - Enable Service firewalld ansible.builtin.systemd: name: firewalld enabled: true state: started masked: false when: - '"firewalld" in ansible_facts.packages' tags: - CCE-90833-5 - DISA-STIG-RHEL-09-251015 - NIST-800-171-3.1.3 - NIST-800-171-3.4.7 - NIST-800-53-AC-4 - NIST-800-53-CA-3(5) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(21) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.1 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_firewalld_enabled - special_service_block when: - DISA_STIG_RHEL_09_251015 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_firewalld_enabled | bool - special_service_block | bool - '"kernel-core" in ansible_facts.packages' - '"firewalld" in ansible_facts.packages' - name: Verify nftables Service is Disabled - Disable service nftables block: - name: Verify nftables Service is Disabled - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - name: Verify nftables Service is Disabled - Ensure nftables.service is Masked ansible.builtin.systemd: name: nftables.service state: stopped enabled: false masked: true when: service_exists.stdout_lines is search("nftables.service", multiline=True) - name: Unit Socket Exists - nftables.socket ansible.builtin.command: systemctl -q list-unit-files nftables.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - name: Verify nftables Service is Disabled - Disable Socket nftables ansible.builtin.systemd: name: nftables.socket enabled: false state: stopped masked: true when: socket_file_exists.stdout_lines is search("nftables.socket", multiline=True) tags: - CCE-88429-6 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.1 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_nftables_disabled - special_service_block when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_nftables_disabled | bool - special_service_block | bool - ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - name: Disable Bluetooth Service - Disable service bluetooth block: - name: Disable Bluetooth Service - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - name: Disable Bluetooth Service - Ensure bluetooth.service is Masked ansible.builtin.systemd: name: bluetooth.service state: stopped enabled: false masked: true when: service_exists.stdout_lines is search("bluetooth.service", multiline=True) - name: Unit Socket Exists - bluetooth.socket ansible.builtin.command: systemctl -q list-unit-files bluetooth.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - name: Disable Bluetooth Service - Disable Socket bluetooth ansible.builtin.systemd: name: bluetooth.socket enabled: false state: stopped masked: true when: socket_file_exists.stdout_lines is search("bluetooth.socket", multiline=True) tags: - CCE-86761-4 - NIST-800-171-3.1.16 - NIST-800-53-AC-18(3) - NIST-800-53-AC-18(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_bluetooth_disabled - special_service_block when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_bluetooth_disabled | bool - special_service_block | bool - '"kernel-core" in ansible_facts.packages' - name: Disable the Automounter - Disable service autofs block: - name: Disable the Automounter - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - name: Disable the Automounter - Ensure autofs.service is Masked ansible.builtin.systemd: name: autofs.service state: stopped enabled: false masked: true when: service_exists.stdout_lines is search("autofs.service", multiline=True) - name: Unit Socket Exists - autofs.socket ansible.builtin.command: systemctl -q list-unit-files autofs.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - name: Disable the Automounter - Disable Socket autofs ansible.builtin.systemd: name: autofs.socket enabled: false state: stopped masked: true when: socket_file_exists.stdout_lines is search("autofs.socket", multiline=True) tags: - CCE-83850-8 - DISA-STIG-RHEL-09-231040 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_autofs_disabled - special_service_block when: - DISA_STIG_RHEL_09_231040 | bool - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_autofs_disabled | bool - special_service_block | bool - ( "autofs" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - name: Disable Avahi Server Software - Disable service avahi-daemon block: - name: Disable Avahi Server Software - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - name: Disable Avahi Server Software - Ensure avahi-daemon.service is Masked ansible.builtin.systemd: name: avahi-daemon.service state: stopped enabled: false masked: true when: service_exists.stdout_lines is search("avahi-daemon.service", multiline=True) - name: Unit Socket Exists - avahi-daemon.socket ansible.builtin.command: systemctl -q list-unit-files avahi-daemon.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - name: Disable Avahi Server Software - Disable Socket avahi-daemon ansible.builtin.systemd: name: avahi-daemon.socket enabled: false state: stopped masked: true when: socket_file_exists.stdout_lines is search("avahi-daemon.socket", multiline=True) tags: - CCE-90824-4 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_avahi-daemon_disabled - special_service_block when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_avahi_daemon_disabled | bool - special_service_block | bool - ( "avahi" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - name: Enable cron Service - Enable service crond block: - name: Enable cron Service - Enable Service crond ansible.builtin.systemd: name: crond enabled: true state: started masked: false when: - '"cronie" in ansible_facts.packages' tags: - CCE-84163-5 - NIST-800-53-CM-6(a) - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_crond_enabled - special_service_block when: - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_crond_enabled | bool - special_service_block | bool - '"kernel-core" in ansible_facts.packages' - name: Disable rpcbind Service - Disable service rpcbind block: - name: Disable rpcbind Service - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - name: Disable rpcbind Service - Ensure rpcbind.service is Masked ansible.builtin.systemd: name: rpcbind.service state: stopped enabled: false masked: true when: service_exists.stdout_lines is search("rpcbind.service", multiline=True) - name: Unit Socket Exists - rpcbind.socket ansible.builtin.command: systemctl -q list-unit-files rpcbind.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - name: Disable rpcbind Service - Disable Socket rpcbind ansible.builtin.systemd: name: rpcbind.socket enabled: false state: stopped masked: true when: socket_file_exists.stdout_lines is search("rpcbind.socket", multiline=True) tags: - CCE-84245-0 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - service_rpcbind_disabled - special_service_block when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - service_rpcbind_disabled | bool - special_service_block | bool - '"kernel-core" in ansible_facts.packages' - name: Disable Network File System (nfs) - Disable service nfs-server block: - name: Disable Network File System (nfs) - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - name: Disable Network File System (nfs) - Ensure nfs-server.service is Masked ansible.builtin.systemd: name: nfs-server.service state: stopped enabled: false masked: true when: service_exists.stdout_lines is search("nfs-server.service", multiline=True) - name: Unit Socket Exists - nfs-server.socket ansible.builtin.command: systemctl -q list-unit-files nfs-server.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - name: Disable Network File System (nfs) - Disable Socket nfs-server ansible.builtin.systemd: name: nfs-server.socket enabled: false state: stopped masked: true when: socket_file_exists.stdout_lines is search("nfs-server.socket", multiline=True) tags: - CCE-90850-9 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - no_reboot_needed - service_nfs_disabled - special_service_block - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - service_nfs_disabled | bool - special_service_block | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' - name: Disable the CUPS Service - Disable service cups block: - name: Disable the CUPS Service - Collect systemd Services Present in the System ansible.builtin.command: systemctl -q list-unit-files --type service register: service_exists changed_when: false failed_when: service_exists.rc not in [0, 1] check_mode: false - name: Disable the CUPS Service - Ensure cups.service is Masked ansible.builtin.systemd: name: cups.service state: stopped enabled: false masked: true when: service_exists.stdout_lines is search("cups.service", multiline=True) - name: Unit Socket Exists - cups.socket ansible.builtin.command: systemctl -q list-unit-files cups.socket register: socket_file_exists changed_when: false failed_when: socket_file_exists.rc not in [0, 1] check_mode: false - name: Disable the CUPS Service - Disable Socket cups ansible.builtin.systemd: name: cups.socket enabled: false state: stopped masked: true when: socket_file_exists.stdout_lines is search("cups.socket", multiline=True) tags: - CCE-90795-6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - no_reboot_needed - service_cups_disabled - special_service_block - unknown_severity when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - service_cups_disabled | bool - special_service_block | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' - name: Enable auditd Service - Enable service auditd block: - name: Enable auditd Service - Enable Service auditd ansible.builtin.systemd: name: auditd enabled: true state: started masked: false when: - '"audit" in ansible_facts.packages' tags: - CCE-90829-3 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653015 - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 - NIST-800-53-AC-2(g) - NIST-800-53-AC-6(9) - NIST-800-53-AU-10 - NIST-800-53-AU-12(c) - NIST-800-53-AU-14(1) - NIST-800-53-AU-2(d) - NIST-800-53-AU-3 - NIST-800-53-CM-6(a) - NIST-800-53-SI-4(23) - PCI-DSS-Req-10.1 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_auditd_enabled - special_service_block when: - DISA_STIG_RHEL_09_653015 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - service_auditd_enabled | bool - special_service_block | bool - '"kernel-core" in ansible_facts.packages' - '"audit" in ansible_facts.packages' - name: Gather the service facts ansible.builtin.service_facts: null tags: - always - name: Build and Test AIDE Database - Check Whether the Stock AIDE Database Exists ansible.builtin.stat: path: /var/lib/aide/aide.db.new.gz register: aide_database_stat when: - DISA_STIG_RHEL_09_651010 | bool - aide_build_database | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83438-2 - CJIS-5.10.1.3 - DISA-STIG-RHEL-09-651010 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Build and Test AIDE Database - Build and Test AIDE Database ansible.builtin.command: /usr/sbin/aide --init changed_when: true when: - DISA_STIG_RHEL_09_651010 | bool - aide_build_database | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - not (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) register: aide_database_init tags: - CCE-83438-2 - CJIS-5.10.1.3 - DISA-STIG-RHEL-09-651010 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Build and Test AIDE Database - Stage AIDE Database ansible.builtin.copy: src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz backup: true remote_src: true when: - DISA_STIG_RHEL_09_651010 | bool - aide_build_database | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - aide_database_init is changed - not ansible_check_mode tags: - CCE-83438-2 - CJIS-5.10.1.3 - DISA-STIG-RHEL-09-651010 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set audit_tools fact ansible.builtin.set_fact: audit_tools: - /usr/sbin/auditctl - /usr/sbin/auditd - /usr/sbin/augenrules - /usr/sbin/aureport - /usr/sbin/ausearch - /usr/sbin/autrace - /usr/sbin/rsyslogd when: - DISA_STIG_RHEL_09_651025 | bool - aide_check_audit_tools | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure existing AIDE configuration for audit tools are correct ansible.builtin.lineinfile: path: /etc/aide.conf regexp: ^{{ item }}\s line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512' create: true with_items: '{{ audit_tools }}' when: - DISA_STIG_RHEL_09_651025 | bool - aide_check_audit_tools | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"aide" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure AIDE to properly protect audit tools ansible.builtin.lineinfile: path: /etc/aide.conf line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512' create: true with_items: '{{ audit_tools }}' when: - DISA_STIG_RHEL_09_651025 | bool - aide_check_audit_tools | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"aide" in ansible_facts.packages' tags: - CCE-87757-1 - DISA-STIG-RHEL-09-651025 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure Periodic Execution of AIDE ansible.builtin.cron: name: run AIDE check minute: 5 hour: 4 user: root job: /usr/sbin/aide --check register: crontab_check when: - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '''cronie'' in ansible_facts.packages' tags: - CCE-83437-4 - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHCBC ansible.builtin.lineinfile: path: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod owner: root group: root mode: '0644' line: cipher@SSH = -*-CBC create: true regexp: cipher@SSH tags: - CCE-88900-6 - configure_custom_crypto_policy_cis - configure_strategy - low_complexity - low_disruption - medium_severity - reboot_required when: - configure_custom_crypto_policy_cis | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHWEAKCIPHERS ansible.builtin.lineinfile: path: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod owner: root group: root mode: '0644' line: cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 create: true regexp: cipher@SSH tags: - CCE-88900-6 - configure_custom_crypto_policy_cis - configure_strategy - low_complexity - low_disruption - medium_severity - reboot_required when: - configure_custom_crypto_policy_cis | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHWEAKMACS ansible.builtin.lineinfile: path: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod owner: root group: root mode: '0644' line: mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128* create: true regexp: mac@SSH tags: - CCE-88900-6 - configure_custom_crypto_policy_cis - configure_strategy - low_complexity - low_disruption - medium_severity - reboot_required when: - configure_custom_crypto_policy_cis | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-WEAKMAC ansible.builtin.lineinfile: path: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod owner: root group: root mode: '0644' line: mac = -*-128* create: true regexp: mac tags: - CCE-88900-6 - configure_custom_crypto_policy_cis - configure_strategy - low_complexity - low_disruption - medium_severity - reboot_required when: - configure_custom_crypto_policy_cis | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Check current crypto policy ansible.builtin.command: update-crypto-policies --show register: current_crypto_policy changed_when: false failed_when: false check_mode: false tags: - CCE-88900-6 - configure_custom_crypto_policy_cis - configure_strategy - low_complexity - low_disruption - medium_severity - reboot_required when: - configure_custom_crypto_policy_cis | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update crypto-policies ansible.builtin.command: update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC when: - configure_custom_crypto_policy_cis | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - current_crypto_policy.stdout.strip() != "DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC" tags: - CCE-88900-6 - configure_custom_crypto_policy_cis - configure_strategy - low_complexity - low_disruption - medium_severity - reboot_required - name: Configure SSH to use System Crypto Policy ansible.builtin.lineinfile: dest: /etc/sysconfig/sshd state: absent regexp: (?i)^\s*CRYPTO_POLICY.*$ when: - configure_ssh_crypto_policy | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83445-7 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-13 - PCI-DSS-Req-2.2 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.7 - configure_ssh_crypto_policy - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get database modification time for distro ansible.builtin.stat: path: /etc/dconf/db/distro register: distro_db when: - DISA_STIG_RHEL_09_271090 | bool - dconf_db_up_to_date | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-87295-2 - DISA-STIG-RHEL-09-271090 - PCI-DSS-Req-6.2 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_db_up_to_date - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get keyfiles for distro ansible.builtin.find: paths: /etc/dconf/db/distro.d/ register: distro_keyfiles when: - DISA_STIG_RHEL_09_271090 | bool - dconf_db_up_to_date | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-87295-2 - DISA-STIG-RHEL-09-271090 - PCI-DSS-Req-6.2 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_db_up_to_date - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Run dconf update for distro ansible.builtin.command: cmd: dconf update when: - DISA_STIG_RHEL_09_271090 | bool - dconf_db_up_to_date | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not distro_db.stat.exists or distro_keyfiles.files | length > 0 and distro_keyfiles.files | map(attribute='mtime') | max > distro_db.stat.mtime tags: - CCE-87295-2 - DISA-STIG-RHEL-09-271090 - PCI-DSS-Req-6.2 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_db_up_to_date - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get database modification time for local ansible.builtin.stat: path: /etc/dconf/db/local register: local_db when: - DISA_STIG_RHEL_09_271090 | bool - dconf_db_up_to_date | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-87295-2 - DISA-STIG-RHEL-09-271090 - PCI-DSS-Req-6.2 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_db_up_to_date - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get keyfiles for local ansible.builtin.find: paths: /etc/dconf/db/local.d/ register: local_keyfiles when: - DISA_STIG_RHEL_09_271090 | bool - dconf_db_up_to_date | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-87295-2 - DISA-STIG-RHEL-09-271090 - PCI-DSS-Req-6.2 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_db_up_to_date - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Run dconf update for local ansible.builtin.command: cmd: dconf update when: - DISA_STIG_RHEL_09_271090 | bool - dconf_db_up_to_date | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not local_db.stat.exists or local_keyfiles.files | length > 0 and local_keyfiles.files | map(attribute='mtime') | max > local_db.stat.mtime tags: - CCE-87295-2 - DISA-STIG-RHEL-09-271090 - PCI-DSS-Req-6.2 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_db_up_to_date - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Disable the GNOME3 Login User List community.general.ini_file: dest: /etc/dconf/db/distro.d/00-security-settings section: org/gnome/login-screen option: disable-user-list value: 'true' no_extra_spaces: true create: true register: result_ini when: - DISA_STIG_RHEL_09_271115 | bool - dconf_gnome_disable_user_list | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-88285-2 - DISA-STIG-RHEL-09-271115 - NIST-800-53-AC-23 - NIST-800-53-CM-6(a) - dconf_gnome_disable_user_list - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 disablement of Login User List ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/disable-user-list$ line: /org/gnome/login-screen/disable-user-list create: true register: result_lineinfile when: - DISA_STIG_RHEL_09_271115 | bool - dconf_gnome_disable_user_list | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-88285-2 - DISA-STIG-RHEL-09-271115 - NIST-800-53-AC-23 - NIST-800-53-CM-6(a) - dconf_gnome_disable_user_list - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271115 | bool - dconf_gnome_disable_user_list | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed or result_lineinfile is changed tags: - CCE-88285-2 - DISA-STIG-RHEL-09-271115 - NIST-800-53-AC-23 - NIST-800-53-CM-6(a) - dconf_gnome_disable_user_list - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable XDMCP in GDM community.general.ini_file: path: /etc/gdm/custom.conf section: xdmcp option: Enable value: 'false' create: true mode: 420 when: - gnome_gdm_disable_xdmcp | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-86033-8 - gnome_gdm_disable_xdmcp - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Disable GNOME3 Automounting - automount community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount value: 'false' create: true no_extra_spaces: true register: result_ini when: - dconf_gnome_disable_automount | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-87734-0 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - dconf_gnome_disable_automount - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - automount ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/automount$ line: /org/gnome/desktop/media-handling/automount create: true register: result_lineinfile when: - dconf_gnome_disable_automount | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-87734-0 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - dconf_gnome_disable_automount - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - dconf_gnome_disable_automount | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed or result_lineinfile is changed tags: - CCE-87734-0 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - dconf_gnome_disable_automount - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable GNOME3 Automounting - automount-open community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount-open value: 'false' create: true no_extra_spaces: true register: result_ini when: - DISA_STIG_RHEL_09_271020 | bool - DISA_STIG_RHEL_09_271025 | bool - dconf_gnome_disable_automount_open | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-90128-0 - DISA-STIG-RHEL-09-271020 - DISA-STIG-RHEL-09-271025 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - dconf_gnome_disable_automount_open - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - automount-open ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/automount-open$ line: /org/gnome/desktop/media-handling/automount-open create: true register: result_lineinfile when: - DISA_STIG_RHEL_09_271020 | bool - DISA_STIG_RHEL_09_271025 | bool - dconf_gnome_disable_automount_open | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-90128-0 - DISA-STIG-RHEL-09-271020 - DISA-STIG-RHEL-09-271025 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - dconf_gnome_disable_automount_open - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271020 | bool - DISA_STIG_RHEL_09_271025 | bool - dconf_gnome_disable_automount_open | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed or result_lineinfile is changed tags: - CCE-90128-0 - DISA-STIG-RHEL-09-271020 - DISA-STIG-RHEL-09-271025 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - dconf_gnome_disable_automount_open - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable GNOME3 Automounting - autorun-never community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: autorun-never value: 'true' create: true no_extra_spaces: true register: result_ini when: - DISA_STIG_RHEL_09_271030 | bool - DISA_STIG_RHEL_09_271035 | bool - dconf_gnome_disable_autorun | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-90257-7 - DISA-STIG-RHEL-09-271030 - DISA-STIG-RHEL-09-271035 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_autorun - low_complexity - low_severity - medium_disruption - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - autorun-never ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/autorun-never$ line: /org/gnome/desktop/media-handling/autorun-never create: true register: result_lineinfile when: - DISA_STIG_RHEL_09_271030 | bool - DISA_STIG_RHEL_09_271035 | bool - dconf_gnome_disable_autorun | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-90257-7 - DISA-STIG-RHEL-09-271030 - DISA-STIG-RHEL-09-271035 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_autorun - low_complexity - low_severity - medium_disruption - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271030 | bool - DISA_STIG_RHEL_09_271035 | bool - dconf_gnome_disable_autorun | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed or result_lineinfile is changed tags: - CCE-90257-7 - DISA-STIG-RHEL-09-271030 - DISA-STIG-RHEL-09-271035 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_autorun - low_complexity - low_severity - medium_disruption - no_reboot_needed - unknown_strategy - name: Set GNOME3 Screensaver Inactivity Timeout community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/session option: idle-delay value: uint32 {{ inactivity_timeout_value }} create: true no_extra_spaces: true register: result_ini when: - DISA_STIG_RHEL_09_271065 | bool - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-86510-5 - CJIS-5.5.5 - DISA-STIG-RHEL-09-271065 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271065 | bool - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed tags: - CCE-86510-5 - CJIS-5.5.5 - DISA-STIG-RHEL-09-271065 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Set GNOME3 Screensaver Lock Delay After Activation Period community.general.ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver option: lock-delay value: uint32 {{ var_screensaver_lock_delay }} create: true no_extra_spaces: true register: result_ini when: - DISA_STIG_RHEL_09_271075 | bool - dconf_gnome_screensaver_lock_delay | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-86954-5 - DISA-STIG-RHEL-09-271075 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271075 | bool - dconf_gnome_screensaver_lock_delay | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed tags: - CCE-86954-5 - DISA-STIG-RHEL-09-271075 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME lock-delay ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/lock-delay$ line: /org/gnome/desktop/screensaver/lock-delay create: true register: result_lineinfile when: - DISA_STIG_RHEL_09_271080 | bool - dconf_gnome_screensaver_user_locks | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-87491-7 - DISA-STIG-RHEL-09-271080 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_screensaver_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271080 | bool - dconf_gnome_screensaver_user_locks | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_lineinfile is changed tags: - CCE-87491-7 - DISA-STIG-RHEL-09-271080 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_screensaver_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME Session idle-delay ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/session/idle-delay$ line: /org/gnome/desktop/session/idle-delay create: true register: result_lineinfile when: - DISA_STIG_RHEL_09_271070 | bool - dconf_gnome_session_idle_user_locks | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-85971-0 - DISA-STIG-RHEL-09-271070 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_gnome_session_idle_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271070 | bool - dconf_gnome_session_idle_user_locks | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_lineinfile is changed tags: - CCE-85971-0 - DISA-STIG-RHEL-09-271070 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - dconf_gnome_session_idle_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Ensure use_pty is enabled in /etc/sudoers ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults.*\buse_pty\b.*$ line: Defaults use_pty validate: /usr/sbin/visudo -cf %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_add_use_pty | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-83538-9 - PCI-DSS-Req-10.2.5 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_use_pty - name: Ensure logfile is enabled with the appropriate value in /etc/sudoers ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?.+\b(.*)$ line: Defaults \1logfile={{ var_sudo_logfile }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true register: edit_sudoers_logfile_option when: - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_custom_logfile | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-83527-2 - PCI-DSS-Req-10.2.5 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - low_severity - no_reboot_needed - restrict_strategy - sudo_custom_logfile - name: Enable logfile option with appropriate value in /etc/sudoers ansible.builtin.lineinfile: path: /etc/sudoers line: Defaults logfile={{ var_sudo_logfile }} validate: /usr/sbin/visudo -cf %s when: - low_complexity | bool - low_disruption | bool - low_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_custom_logfile | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' - edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed tags: - CCE-83527-2 - PCI-DSS-Req-10.2.5 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - low_severity - no_reboot_needed - restrict_strategy - sudo_custom_logfile - name: Find /etc/sudoers.d/ files ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication - name: Remove lines containing NOPASSWD from sudoers files ansible.builtin.replace: regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) replace: '# \g<1>' path: '{{ item.path }}' validate: /usr/sbin/visudo -cf %s with_items: - path: /etc/sudoers - '{{ sudoers.files }}' when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication - name: Find /etc/sudoers.d/ files ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication - name: Remove lines containing !authenticate from sudoers files ansible.builtin.replace: regexp: (^(?!#).*[\s]+\!authenticate.*$) replace: '# \g<1>' path: '{{ item.path }}' validate: /usr/sbin/visudo -cf %s with_items: - path: /etc/sudoers - '{{ sudoers.files }}' when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_authentication | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83543-9 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication - name: Require Re-Authentication When Using the sudo Command - Find /etc/sudoers.d/* files containing 'Defaults timestamp_timeout' ansible.builtin.find: path: /etc/sudoers.d patterns: '*' contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.* register: sudoers_d_defaults_timestamp_timeout when: - DISA_STIG_RHEL_09_432015 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 - DISA-STIG-RHEL-09-432015 - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_reauthentication - name: Require Re-Authentication When Using the sudo Command - Remove 'Defaults timestamp_timeout' from /etc/sudoers.d/* files ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.* state: absent with_items: '{{ sudoers_d_defaults_timestamp_timeout.files }}' when: - DISA_STIG_RHEL_09_432015 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 - DISA-STIG-RHEL-09-432015 - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_reauthentication - name: Require Re-Authentication When Using the sudo Command - Ensure timestamp_timeout has the appropriate value in /etc/sudoers ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$ line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true register: edit_sudoers_timestamp_timeout_option when: - DISA_STIG_RHEL_09_432015 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 - DISA-STIG-RHEL-09-432015 - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_reauthentication - name: Require Re-Authentication When Using the sudo Command - Enable timestamp_timeout option with correct value in /etc/sudoers ansible.builtin.lineinfile: path: /etc/sudoers line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }} validate: /usr/sbin/visudo -cf %s when: - DISA_STIG_RHEL_09_432015 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' - 'edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed ' tags: - CCE-90029-0 - DISA-STIG-RHEL-09-432015 - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_reauthentication - name: Require Re-Authentication When Using the sudo Command - Remove timestamp_timeout wrong values in /etc/sudoers ansible.builtin.lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!{{ var_sudo_timestamp_timeout }}\b)[-]?\w+\b.*$ state: absent validate: /usr/sbin/visudo -cf %s when: - DISA_STIG_RHEL_09_432015 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sudo_require_reauthentication | bool - '"kernel-core" in ansible_facts.packages' - '"sudo" in ansible_facts.packages' tags: - CCE-90029-0 - DISA-STIG-RHEL-09-432015 - NIST-800-53-IA-11 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_reauthentication - name: Ensure GPG check is globally activated community.general.ini_file: dest: /etc/dnf/dnf.conf section: main option: gpgcheck value: 1 no_extra_spaces: true create: false when: - DISA_STIG_RHEL_09_214015 | bool - configure_strategy | bool - ensure_gpgcheck_globally_activated | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - '"dnf" in ansible_facts.packages' tags: - CCE-83457-2 - CJIS-5.10.4.1 - DISA-STIG-RHEL-09-214015 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - PCI-DSSv4-6.3 - PCI-DSSv4-6.3.3 - configure_strategy - ensure_gpgcheck_globally_activated - high_severity - low_complexity - medium_disruption - no_reboot_needed - name: Grep for dnf repo section names ansible.builtin.shell: 'set -o pipefail grep -HEr ''^\[.+\]'' -r /etc/yum.repos.d/ ' register: repo_grep_results failed_when: repo_grep_results.rc not in [0, 1] changed_when: false tags: - CCE-83464-8 - CJIS-5.10.4.1 - DISA-STIG-RHEL-09-214025 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - PCI-DSSv4-6.3 - PCI-DSSv4-6.3.3 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity - low_complexity - medium_disruption - no_reboot_needed when: - DISA_STIG_RHEL_09_214025 | bool - enable_strategy | bool - ensure_gpgcheck_never_disabled | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - name: Set gpgcheck=1 for each dnf repo community.general.ini_file: path: '{{ item[0] }}' section: '{{ item[1] }}' option: gpgcheck value: '1' no_extra_spaces: true loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) if repo_grep_results is not skipped else [] }}' when: - DISA_STIG_RHEL_09_214025 | bool - enable_strategy | bool - ensure_gpgcheck_never_disabled | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - repo_grep_results is not skipped tags: - CCE-83464-8 - CJIS-5.10.4.1 - DISA-STIG-RHEL-09-214025 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - PCI-DSSv4-6.3 - PCI-DSSv4-6.3.3 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity - low_complexity - medium_disruption - no_reboot_needed - name: Enable authselect - Check Current authselect Profile ansible.builtin.command: cmd: authselect current register: result_authselect_current changed_when: false failed_when: false when: - DISA_STIG_needed_rules | bool - configure_strategy | bool - enable_authselect | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-89732-2 - DISA-STIG-needed_rules - NIST-800-53-AC-3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - configure_strategy - enable_authselect - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: Enable authselect - Try to Select an authselect Profile ansible.builtin.command: cmd: authselect select "{{ var_authselect_profile }}" register: result_authselect_select changed_when: result_authselect_select.rc == 0 failed_when: false when: - DISA_STIG_needed_rules | bool - configure_strategy | bool - enable_authselect | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_authselect_current.rc != 0 tags: - CCE-89732-2 - DISA-STIG-needed_rules - NIST-800-53-AC-3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - configure_strategy - enable_authselect - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: Enable authselect - Verify If pam Has Been Altered ansible.builtin.command: cmd: rpm -qV pam register: result_altered_authselect changed_when: false failed_when: false when: - DISA_STIG_needed_rules | bool - configure_strategy | bool - enable_authselect | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_authselect_select is not skipped - result_authselect_select.rc != 0 tags: - CCE-89732-2 - DISA-STIG-needed_rules - NIST-800-53-AC-3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - configure_strategy - enable_authselect - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: Enable authselect - Informative Message Based on authselect Integrity Check ansible.builtin.assert: that: - result_authselect_current.rc == 0 or result_altered_authselect is skipped or result_altered_authselect.rc == 0 fail_msg: - authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be forced. when: - DISA_STIG_needed_rules | bool - configure_strategy | bool - enable_authselect | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-89732-2 - DISA-STIG-needed_rules - NIST-800-53-AC-3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - configure_strategy - enable_authselect - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: Enable authselect - Force authselect Profile Selection ansible.builtin.command: cmd: authselect select --force "{{ var_authselect_profile }}" when: - DISA_STIG_needed_rules | bool - configure_strategy | bool - enable_authselect | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_authselect_current.rc != 0 - result_authselect_select.rc != 0 - result_altered_authselect.rc == 0 tags: - CCE-89732-2 - DISA-STIG-needed_rules - NIST-800-53-AC-3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - configure_strategy - enable_authselect - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: Ensure Local Login Warning Banner Is Configured Properly - Copy using inline content ansible.builtin.copy: content: '{{ cis_banner_text }}' dest: /etc/issue when: - banner_etc_issue_cis | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86142-7 - banner_etc_issue_cis - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure Remote Login Warning Banner Is Configured Properly - Copy using inline content ansible.builtin.copy: content: '{{ cis_banner_text }}' dest: /etc/issue.net when: - banner_etc_issue_net_cis | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86143-5 - banner_etc_issue_net_cis - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure Message Of The Day Is Configured Properly - Copy using inline content ansible.builtin.copy: content: '{{ cis_banner_text }}' dest: /etc/motd when: - banner_etc_motd_cis | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86141-9 - banner_etc_motd_cis - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set the file_groupowner_etc_issue_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_issue_newgroup: '0' tags: - CCE-86699-6 - configure_strategy - file_groupowner_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/issue ansible.builtin.stat: path: /etc/issue register: file_exists tags: - CCE-86699-6 - configure_strategy - file_groupowner_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/issue ansible.builtin.file: path: /etc/issue follow: false group: '{{ file_groupowner_etc_issue_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86699-6 - configure_strategy - file_groupowner_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_etc_issue_net_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_issue_net_newgroup: '0' tags: - CCE-86052-8 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_groupowner_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/issue.net ansible.builtin.stat: path: /etc/issue.net register: file_exists tags: - CCE-86052-8 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_groupowner_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/issue.net ansible.builtin.file: path: /etc/issue.net follow: false group: '{{ file_groupowner_etc_issue_net_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86052-8 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_groupowner_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_etc_motd_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_motd_newgroup: '0' tags: - CCE-86697-0 - configure_strategy - file_groupowner_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/motd ansible.builtin.stat: path: /etc/motd register: file_exists tags: - CCE-86697-0 - configure_strategy - file_groupowner_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/motd ansible.builtin.file: path: /etc/motd follow: false group: '{{ file_groupowner_etc_motd_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86697-0 - configure_strategy - file_groupowner_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_issue_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_issue_newown: '0' tags: - CCE-86700-2 - configure_strategy - file_owner_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/issue ansible.builtin.stat: path: /etc/issue register: file_exists tags: - CCE-86700-2 - configure_strategy - file_owner_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/issue ansible.builtin.file: path: /etc/issue follow: false owner: '{{ file_owner_etc_issue_newown }}' when: - configure_strategy | bool - file_owner_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86700-2 - configure_strategy - file_owner_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_issue_net_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_issue_net_newown: '0' tags: - CCE-86057-7 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_owner_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/issue.net ansible.builtin.stat: path: /etc/issue.net register: file_exists tags: - CCE-86057-7 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_owner_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/issue.net ansible.builtin.file: path: /etc/issue.net follow: false owner: '{{ file_owner_etc_issue_net_newown }}' when: - configure_strategy | bool - file_owner_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86057-7 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_owner_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_motd_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_motd_newown: '0' tags: - CCE-86698-8 - configure_strategy - file_owner_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/motd ansible.builtin.stat: path: /etc/motd register: file_exists tags: - CCE-86698-8 - configure_strategy - file_owner_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/motd ansible.builtin.file: path: /etc/motd follow: false owner: '{{ file_owner_etc_motd_newown }}' when: - configure_strategy | bool - file_owner_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86698-8 - configure_strategy - file_owner_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/issue ansible.builtin.stat: path: /etc/issue register: file_exists tags: - CCE-83551-2 - configure_strategy - file_permissions_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_permissions_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/issue ansible.builtin.file: path: /etc/issue mode: u-xs,g-xws,o-xwt when: - configure_strategy | bool - file_permissions_etc_issue | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83551-2 - configure_strategy - file_permissions_etc_issue - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/issue.net ansible.builtin.stat: path: /etc/issue.net register: file_exists tags: - CCE-86048-6 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_permissions_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_permissions_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/issue.net ansible.builtin.file: path: /etc/issue.net mode: u-xs,g-xws,o-xwt when: - configure_strategy | bool - file_permissions_etc_issue_net | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86048-6 - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.8 - configure_strategy - file_permissions_etc_issue_net - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/motd ansible.builtin.stat: path: /etc/motd register: file_exists tags: - CCE-83554-6 - configure_strategy - file_permissions_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_permissions_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/motd ansible.builtin.file: path: /etc/motd mode: u-xs,g-xws,o-xwt when: - configure_strategy | bool - file_permissions_etc_motd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83554-6 - configure_strategy - file_permissions_etc_motd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Enable GNOME3 Login Warning Banner community.general.ini_file: dest: /etc/dconf/db/distro.d/00-security-settings section: org/gnome/login-screen option: banner-message-enable value: 'true' create: true no_extra_spaces: true register: result_ini when: - DISA_STIG_RHEL_09_271010 | bool - DISA_STIG_RHEL_09_271015 | bool - dconf_gnome_banner_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-87599-7 - DISA-STIG-RHEL-09-271010 - DISA-STIG-RHEL-09-271015 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - dconf_gnome_banner_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME banner-message-enabled ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/banner-message-enable$ line: /org/gnome/login-screen/banner-message-enable create: true register: result_lineinfile when: - DISA_STIG_RHEL_09_271010 | bool - DISA_STIG_RHEL_09_271015 | bool - dconf_gnome_banner_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-87599-7 - DISA-STIG-RHEL-09-271010 - DISA-STIG-RHEL-09-271015 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - dconf_gnome_banner_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_271010 | bool - DISA_STIG_RHEL_09_271015 | bool - dconf_gnome_banner_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed or result_lineinfile is changed tags: - CCE-87599-7 - DISA-STIG-RHEL-09-271010 - DISA-STIG-RHEL-09-271015 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(b) - NIST-800-53-AC-8(c) - dconf_gnome_banner_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Set the GNOME3 Login Warning Banner Text ansible.builtin.file: path: /etc/dconf/db/{{ item }} owner: root group: root mode: 493 state: directory with_items: - distro.d - distro.d/locks when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-86529-5 - DISA-STIG-RHEL-09-171011 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - dconf_gnome_login_banner_text - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Set the GNOME3 Login Warning Banner Text ansible.builtin.file: path: /etc/dconf/db/distro.d/{{ item }} owner: root group: root mode: 420 state: touch with_items: - 00-security-settings - locks/00-security-settings-lock when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-86529-5 - DISA-STIG-RHEL-09-171011 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - dconf_gnome_login_banner_text - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Set the GNOME3 Login Warning Banner Text community.general.ini_file: dest: /etc/dconf/db/distro.d/00-security-settings section: org/gnome/login-screen option: banner-message-text value: '''{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' create: true no_extra_spaces: true register: result_ini when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-86529-5 - DISA-STIG-RHEL-09-171011 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - dconf_gnome_login_banner_text - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of the GNOME3 Login Warning Banner Text ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/banner-message-text$ line: /org/gnome/login-screen/banner-message-text create: true state: present register: result_lineinfile when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' tags: - CCE-86529-5 - DISA-STIG-RHEL-09-171011 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - dconf_gnome_login_banner_text - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update ansible.builtin.command: dconf update when: - DISA_STIG_RHEL_09_171011 | bool - dconf_gnome_login_banner_text | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - result_ini is changed or result_lineinfile is changed tags: - CCE-86529-5 - DISA-STIG-RHEL-09-171011 - NIST-800-171-3.1.9 - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - dconf_gnome_login_banner_text - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - DISA_STIG_RHEL_09_611035 | bool - account_password_pam_faillock_password_auth | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86932-1 - DISA-STIG-RHEL-09-611035 - NIST-800-53-AC-7 (a) - account_password_pam_faillock_password_auth - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Remediation where authselect tool is present block: - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Get authselect current features ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Ensure "with-faillock" feature is enabled using authselect tool ansible.builtin.command: cmd: authselect enable-feature with-faillock register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("with-faillock") - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - DISA_STIG_RHEL_09_611035 | bool - account_password_pam_faillock_password_auth | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-86932-1 - DISA-STIG-RHEL-09-611035 - NIST-800-53-AC-7 (a) - account_password_pam_faillock_password_auth - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Remediation where authselect tool is not present block: - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false register: result_pam_faillock_is_enabled - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Enable pam_faillock.so preauth editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Enable pam_faillock.so authfail editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Enable pam_faillock.so account section editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 when: - DISA_STIG_RHEL_09_611035 | bool - account_password_pam_faillock_password_auth | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-86932-1 - DISA-STIG-RHEL-09-611035 - NIST-800-53-AC-7 (a) - account_password_pam_faillock_password_auth - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - DISA_STIG_RHEL_09_611030 | bool - account_password_pam_faillock_system_auth | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86917-2 - DISA-STIG-RHEL-09-611030 - NIST-800-53-AC-7 (a) - account_password_pam_faillock_system_auth - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Remediation where authselect tool is present block: - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Get authselect current features ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Ensure "with-faillock" feature is enabled using authselect tool ansible.builtin.command: cmd: authselect enable-feature with-faillock register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("with-faillock") - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - DISA_STIG_RHEL_09_611030 | bool - account_password_pam_faillock_system_auth | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-86917-2 - DISA-STIG-RHEL-09-611030 - NIST-800-53-AC-7 (a) - account_password_pam_faillock_system_auth - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Remediation where authselect tool is not present block: - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false register: result_pam_faillock_is_enabled - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Enable pam_faillock.so preauth editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Enable pam_faillock.so authfail editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Enable pam_faillock.so account section editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 when: - DISA_STIG_RHEL_09_611030 | bool - account_password_pam_faillock_system_auth | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-86917-2 - DISA-STIG-RHEL-09-611030 - NIST-800-53-AC-7 (a) - account_password_pam_faillock_system_auth - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-86354-8 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: password-auth - Collect the available authselect features' ansible.builtin.command: cmd: authselect list-features sssd register: result_authselect_available_features changed_when: false check_mode: false when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-86354-8 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so using authselect feature' block: - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: password-auth - Get authselect current features' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: password-auth - Ensure "with-pwhistory" feature is enabled using authselect tool' ansible.builtin.command: cmd: authselect enable-feature with-pwhistory register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("with-pwhistory") - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists - result_authselect_available_features.stdout is search("with-pwhistory") tags: - CCE-86354-8 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so in appropriate PAM files' block: - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: password-auth - Get authselect current profile' ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created' ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on sssd profile' ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected' ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile' ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0] }}' - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false register: result_pam_line_present - name: 'Limit Password Reuse: password-auth - Include or update the PAM module line in {{ pam_file_path }}' block: - name: 'Limit Password Reuse: password-auth - Check if required PAM module line is present in {{ pam_file_path }} with different control' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s* state: absent check_mode: true changed_when: false register: result_pam_line_other_control_present - name: 'Limit Password Reuse: password-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path }}' ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*) replace: \1{{ pam_module_control }} \2 register: result_pam_module_edit when: - result_pam_line_other_control_present.found == 1 - name: 'Limit Password Reuse: password-auth - Ensure the required PAM module line is included in {{ pam_file_path }}' ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' insertafter: ^password.*requisite.*pam_pwquality\.so line: password {{ pam_module_control }} pam_pwhistory.so register: result_pam_module_add when: - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present is defined - result_authselect_present.stat.exists - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined ' tags: - CCE-86354-8 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: password-auth - Check the presence of /etc/security/pwhistory.conf file' ansible.builtin.stat: path: /etc/security/pwhistory.conf register: result_pwhistory_conf_check when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-86354-8 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf file' block: - name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember parameter in /etc/security/pwhistory.conf' ansible.builtin.lineinfile: path: /etc/security/pwhistory.conf regexp: ^\s*remember\s*= line: remember = {{ var_password_pam_remember }} state: present - name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember parameter is removed from PAM files' block: - name: 'Limit Password Reuse: password-auth - Check if /etc/pam.d/password-auth file is present' ansible.builtin.stat: path: /etc/pam.d/password-auth register: result_pam_file_present - name: 'Limit Password Reuse: password-auth - Check the proper remediation for the system' block: - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: password-auth - Get authselect current profile' ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created' ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on sssd profile' ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected' ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile' ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: '' - name: 'Limit Password Reuse: password-auth - Check if {{ pam_file_path }} file is present' ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: 'Limit Password Reuse: password-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in {{ pam_file_path }}' ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pwhistory_conf_check.stat.exists tags: - CCE-86354-8 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured in PAM files' block: - name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: password-auth - Get authselect current profile' ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created' ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on sssd profile' ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected' ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile' ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: requisite - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false register: result_pam_line_present - name: 'Limit Password Reuse: password-auth - Include or update the PAM module line in {{ pam_file_path }}' block: - name: 'Limit Password Reuse: password-auth - Check if required PAM module line is present in {{ pam_file_path }} with different control' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s* state: absent check_mode: true changed_when: false register: result_pam_line_other_control_present - name: 'Limit Password Reuse: password-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path }}' ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*) replace: \1{{ pam_module_control }} \2 register: result_pam_module_edit when: - result_pam_line_other_control_present.found == 1 - name: 'Limit Password Reuse: password-auth - Ensure the required PAM module line is included in {{ pam_file_path }}' ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' line: password {{ pam_module_control }} pam_pwhistory.so register: result_pam_module_add when: - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present is defined - result_authselect_present.stat.exists - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 - name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: requisite - name: 'Limit Password Reuse: password-auth - Check if the required PAM module option is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b state: absent check_mode: true changed_when: false register: result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present - name: 'Limit Password Reuse: password-auth - Ensure the "remember" PAM option for "pam_pwhistory.so" is included in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*) line: \1 remember={{ var_password_pam_remember }} state: present register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_add when: - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found is defined - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found == 0 - name: 'Limit Password Reuse: password-auth - Ensure the required value for "remember" PAM option from "pam_pwhistory.so" in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_edit when: - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found > 0 - name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - (result_pam_remember_add is defined and result_pam_remember_add.changed) or (result_pam_remember_edit is defined and result_pam_remember_edit.changed) when: - accounts_password_pam_pwhistory_remember_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_pwhistory_conf_check.stat.exists tags: - CCE-86354-8 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-89176-2 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: system-auth - Collect the available authselect features' ansible.builtin.command: cmd: authselect list-features sssd register: result_authselect_available_features changed_when: false check_mode: false when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-89176-2 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so using authselect feature' block: - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: system-auth - Get authselect current features' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: system-auth - Ensure "with-pwhistory" feature is enabled using authselect tool' ansible.builtin.command: cmd: authselect enable-feature with-pwhistory register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("with-pwhistory") - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists - result_authselect_available_features.stdout is search("with-pwhistory") tags: - CCE-89176-2 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so in appropriate PAM files' block: - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: system-auth - Get authselect current profile' ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created' ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on sssd profile' ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected' ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile' ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0] }}' - name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false register: result_pam_line_present - name: 'Limit Password Reuse: system-auth - Include or update the PAM module line in {{ pam_file_path }}' block: - name: 'Limit Password Reuse: system-auth - Check if required PAM module line is present in {{ pam_file_path }} with different control' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s* state: absent check_mode: true changed_when: false register: result_pam_line_other_control_present - name: 'Limit Password Reuse: system-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path }}' ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*) replace: \1{{ pam_module_control }} \2 register: result_pam_module_edit when: - result_pam_line_other_control_present.found == 1 - name: 'Limit Password Reuse: system-auth - Ensure the required PAM module line is included in {{ pam_file_path }}' ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' insertafter: ^password.*requisite.*pam_pwquality\.so line: password {{ pam_module_control }} pam_pwhistory.so register: result_pam_module_add when: - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present is defined - result_authselect_present.stat.exists - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined ' tags: - CCE-89176-2 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: system-auth - Check the presence of /etc/security/pwhistory.conf file' ansible.builtin.stat: path: /etc/security/pwhistory.conf register: result_pwhistory_conf_check when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-89176-2 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf file' block: - name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember parameter in /etc/security/pwhistory.conf' ansible.builtin.lineinfile: path: /etc/security/pwhistory.conf regexp: ^\s*remember\s*= line: remember = {{ var_password_pam_remember }} state: present - name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember parameter is removed from PAM files' block: - name: 'Limit Password Reuse: system-auth - Check if /etc/pam.d/system-auth file is present' ansible.builtin.stat: path: /etc/pam.d/system-auth register: result_pam_file_present - name: 'Limit Password Reuse: system-auth - Check the proper remediation for the system' block: - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: system-auth - Get authselect current profile' ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created' ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on sssd profile' ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected' ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile' ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: '' - name: 'Limit Password Reuse: system-auth - Check if {{ pam_file_path }} file is present' ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: 'Limit Password Reuse: system-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in {{ pam_file_path }}' ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pwhistory_conf_check.stat.exists tags: - CCE-89176-2 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured in PAM files' block: - name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact' ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool' ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present' block: - name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile' ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result' ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: 'Limit Password Reuse: system-auth - Get authselect current profile' ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact' ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile' ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created' ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile' ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on sssd profile' ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected' ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile' ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile' ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: requisite - name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false register: result_pam_line_present - name: 'Limit Password Reuse: system-auth - Include or update the PAM module line in {{ pam_file_path }}' block: - name: 'Limit Password Reuse: system-auth - Check if required PAM module line is present in {{ pam_file_path }} with different control' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s* state: absent check_mode: true changed_when: false register: result_pam_line_other_control_present - name: 'Limit Password Reuse: system-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path }}' ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*) replace: \1{{ pam_module_control }} \2 register: result_pam_module_edit when: - result_pam_line_other_control_present.found == 1 - name: 'Limit Password Reuse: system-auth - Ensure the required PAM module line is included in {{ pam_file_path }}' ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' line: password {{ pam_module_control }} pam_pwhistory.so register: result_pam_module_add when: - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present is defined - result_authselect_present.stat.exists - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used' ansible.builtin.set_fact: pam_module_control: requisite - name: 'Limit Password Reuse: system-auth - Check if the required PAM module option is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b state: absent check_mode: true changed_when: false register: result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present - name: 'Limit Password Reuse: system-auth - Ensure the "remember" PAM option for "pam_pwhistory.so" is included in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*) line: \1 remember={{ var_password_pam_remember }} state: present register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_add when: - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found is defined - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found == 0 - name: 'Limit Password Reuse: system-auth - Ensure the required value for "remember" PAM option from "pam_pwhistory.so" in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_edit when: - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found > 0 - name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied' ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - (result_pam_remember_add is defined and result_pam_remember_add.changed) or (result_pam_remember_edit is defined and result_pam_remember_edit.changed) when: - accounts_password_pam_pwhistory_remember_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_pwhistory_conf_check.stat.exists tags: - CCE-89176-2 - CJIS-5.6.2.1.1 - NIST-800-171-3.5.8 - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.7 - accounts_password_pam_pwhistory_remember_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83587-6 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Lock Accounts After Failed Password Attempts - Remediation where authselect tool is present block: - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Lock Accounts After Failed Password Attempts - Get authselect current features ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect tool ansible.builtin.command: cmd: authselect enable-feature with-faillock register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("with-faillock") - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-83587-6 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Lock Accounts After Failed Password Attempts - Remediation where authselect tool is not present block: - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false register: result_pam_faillock_is_enabled - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so preauth editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authfail editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so account section editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 when: - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-83587-6 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf file ansible.builtin.stat: path: /etc/security/faillock.conf register: result_faillock_conf_check when: - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83587-6 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so deny parameter in /etc/security/faillock.conf ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: ^\s*deny\s*= line: deny = {{ var_accounts_passwords_pam_faillock_deny }} state: present when: - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: - CCE-83587-6 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so deny parameter not in PAM files block: - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth file is present ansible.builtin.stat: path: /etc/pam.d/system-auth register: result_pam_file_present - name: Lock Accounts After Failed Password Attempts - Check the proper remediation for the system block: - name: Lock Accounts After Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Lock Accounts After Failed Password Attempts - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Lock Accounts After Failed Password Attempts - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Lock Accounts After Failed Password Attempts - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Lock Accounts After Failed Password Attempts - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Lock Accounts After Failed Password Attempts - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Lock Accounts After Failed Password Attempts - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' - name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path }} file is present ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/password-auth file is present ansible.builtin.stat: path: /etc/pam.d/password-auth register: result_pam_file_present - name: Lock Accounts After Failed Password Attempts - Check the proper remediation for the system block: - name: Lock Accounts After Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Lock Accounts After Failed Password Attempts - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Lock Accounts After Failed Password Attempts - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Lock Accounts After Failed Password Attempts - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Lock Accounts After Failed Password Attempts - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Lock Accounts After Failed Password Attempts - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Lock Accounts After Failed Password Attempts - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' - name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path }} file is present ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists when: - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: - CCE-83587-6 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so deny parameter in PAM files block: - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so deny parameter is already enabled in pam files ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny state: absent check_mode: true changed_when: false register: result_pam_faillock_deny_parameter_is_present - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so preauth deny parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*) line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }} state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_deny_parameter_is_present.found == 0 - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so authfail deny parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*) line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }} state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_deny_parameter_is_present.found == 0 - name: Lock Accounts After Failed Password Attempts - Ensure the desired value for pam_faillock.so preauth deny parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*) line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5 state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_deny_parameter_is_present.found > 0 - name: Lock Accounts After Failed Password Attempts - Ensure the desired value for pam_faillock.so authfail deny parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*) line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5 state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_deny_parameter_is_present.found > 0 when: - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_faillock_conf_check.stat.exists tags: - CCE-83587-6 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure the root Account for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83589-2 - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure the root Account for Failed Password Attempts - Remediation where authselect tool is present block: - name: Configure the root Account for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Configure the root Account for Failed Password Attempts - Get authselect current features ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: Configure the root Account for Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect tool ansible.builtin.command: cmd: authselect enable-feature with-faillock register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("with-faillock") - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-83589-2 - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure the root Account for Failed Password Attempts - Remediation where authselect tool is not present block: - name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false register: result_pam_faillock_is_enabled - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so preauth editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so authfail editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so account section editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 when: - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-83589-2 - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure the root Account for Failed Password Attempts - Check the presence of /etc/security/faillock.conf file ansible.builtin.stat: path: /etc/security/faillock.conf register: result_faillock_conf_check when: - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83589-2 - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so even_deny_root parameter in /etc/security/faillock.conf ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: ^\s*even_deny_root line: even_deny_root state: present when: - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: - CCE-83589-2 - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so even_deny_root parameter not in PAM files block: - name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/system-auth file is present ansible.builtin.stat: path: /etc/pam.d/system-auth register: result_pam_file_present - name: Configure the root Account for Failed Password Attempts - Check the proper remediation for the system block: - name: Configure the root Account for Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: Configure the root Account for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Configure the root Account for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Configure the root Account for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Configure the root Account for Failed Password Attempts - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Configure the root Account for Failed Password Attempts - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Configure the root Account for Failed Password Attempts - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Configure the root Account for Failed Password Attempts - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Configure the root Account for Failed Password Attempts - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Configure the root Account for Failed Password Attempts - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' - name: Configure the root Account for Failed Password Attempts - Check if {{ pam_file_path }} file is present ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/password-auth file is present ansible.builtin.stat: path: /etc/pam.d/password-auth register: result_pam_file_present - name: Configure the root Account for Failed Password Attempts - Check the proper remediation for the system block: - name: Configure the root Account for Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: Configure the root Account for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Configure the root Account for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Configure the root Account for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Configure the root Account for Failed Password Attempts - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Configure the root Account for Failed Password Attempts - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Configure the root Account for Failed Password Attempts - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Configure the root Account for Failed Password Attempts - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Configure the root Account for Failed Password Attempts - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Configure the root Account for Failed Password Attempts - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' - name: Configure the root Account for Failed Password Attempts - Check if {{ pam_file_path }} file is present ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists when: - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: - CCE-83589-2 - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so even_deny_root parameter in PAM files block: - name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so even_deny_root parameter is already enabled in pam files ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root state: absent check_mode: true changed_when: false register: result_pam_faillock_even_deny_root_parameter_is_present - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion of pam_faillock.so preauth even_deny_root parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*) line: \1required\3 even_deny_root state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_even_deny_root_parameter_is_present.found == 0 - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion of pam_faillock.so authfail even_deny_root parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*) line: \1required\3 even_deny_root state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_even_deny_root_parameter_is_present.found == 0 when: - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_faillock_conf_check.stat.exists tags: - CCE-83589-2 - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83588-4 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Lockout Time for Failed Password Attempts - Remediation where authselect tool is present block: - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Set Lockout Time for Failed Password Attempts - Get authselect current features ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect tool ansible.builtin.command: cmd: authselect enable-feature with-faillock register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("with-faillock") - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-83588-4 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Lockout Time for Failed Password Attempts - Remediation where authselect tool is not present block: - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so is already enabled ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail) state: absent check_mode: true changed_when: false register: result_pam_faillock_is_enabled - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so preauth editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so preauth insertbefore: ^auth.*sufficient.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authfail editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: auth required pam_faillock.so authfail insertbefore: ^auth.*required.*pam_deny\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so account section editing PAM files ansible.builtin.lineinfile: path: '{{ item }}' line: account required pam_faillock.so insertbefore: ^account.*required.*pam_unix\.so.* state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_is_enabled.found == 0 when: - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-83588-4 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf file ansible.builtin.stat: path: /etc/security/faillock.conf register: result_faillock_conf_check when: - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83588-4 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so unlock_time parameter in /etc/security/faillock.conf ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: ^\s*unlock_time\s*= line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }} state: present when: - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: - CCE-83588-4 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so unlock_time parameter not in PAM files block: - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth file is present ansible.builtin.stat: path: /etc/pam.d/system-auth register: result_pam_file_present - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation for the system block: - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Set Lockout Time for Failed Password Attempts - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Set Lockout Time for Failed Password Attempts - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Set Lockout Time for Failed Password Attempts - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set Lockout Time for Failed Password Attempts - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Set Lockout Time for Failed Password Attempts - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' - name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path }} file is present ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/password-auth file is present ansible.builtin.stat: path: /etc/pam.d/password-auth register: result_pam_file_present - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation for the system block: - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present block: - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Set Lockout Time for Failed Password Attempts - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Set Lockout Time for Failed Password Attempts - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Set Lockout Time for Failed Password Attempts - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set Lockout Time for Failed Password Attempts - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Set Lockout Time for Failed Password Attempts - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: '' - name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path }} file is present ansible.builtin.stat: path: '{{ pam_file_path }}' register: result_pam_file_present - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time" option from "pam_faillock.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal when: result_pam_file_present.stat.exists - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_option_removal is changed when: - result_pam_file_present.stat.exists when: - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_faillock_conf_check.stat.exists tags: - CCE-83588-4 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so unlock_time parameter in PAM files block: - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so unlock_time parameter is already enabled in pam files ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time state: absent check_mode: true changed_when: false register: result_pam_faillock_unlock_time_parameter_is_present - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of pam_faillock.so preauth unlock_time parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*) line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_unlock_time_parameter_is_present.found == 0 - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of pam_faillock.so authfail unlock_time parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*) line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_unlock_time_parameter_is_present.found == 0 - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value for pam_faillock.so preauth unlock_time parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-9]+(.*) line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5 state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_unlock_time_parameter_is_present.found > 0 - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value for pam_faillock.so authfail unlock_time parameter in auth section ansible.builtin.lineinfile: path: '{{ item }}' backrefs: true regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-9]+(.*) line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5 state: present loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - result_pam_faillock_unlock_time_parameter_is_present.found > 0 when: - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - not result_faillock_conf_check.stat.exists tags: - CCE-83588-4 - CJIS-5.5.3 - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ patterns: '*.conf' register: pwquality_conf_d_files when: - DISA_STIG_RHEL_09_611105 | bool - accounts_password_pam_dictcheck | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 - DISA-STIG-RHEL-09-611105 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_dictcheck - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - Ensure dictcheck is not set in pwquality.conf.d ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^\s*\bdictcheck\b.* state: absent with_items: '{{ pwquality_conf_d_files.files }}' when: - DISA_STIG_RHEL_09_611105 | bool - accounts_password_pam_dictcheck | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 - DISA-STIG-RHEL-09-611105 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_dictcheck - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - Ensure PAM variable dictcheck is set accordingly ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*dictcheck line: dictcheck = {{ var_password_pam_dictcheck }} when: - DISA_STIG_RHEL_09_611105 | bool - accounts_password_pam_dictcheck | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-88413-0 - DISA-STIG-RHEL-09-611105 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_dictcheck - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Different Characters - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ patterns: '*.conf' register: pwquality_conf_d_files when: - DISA_STIG_RHEL_09_611115 | bool - accounts_password_pam_difok | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-611115 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(b) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_difok - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Different Characters - Ensure difok is not set in pwquality.conf.d ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^\s*\bdifok\b.* state: absent with_items: '{{ pwquality_conf_d_files.files }}' when: - DISA_STIG_RHEL_09_611115 | bool - accounts_password_pam_difok | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-611115 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(b) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_difok - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Different Characters - Ensure PAM variable difok is set accordingly ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*difok line: difok = {{ var_password_pam_difok }} when: - DISA_STIG_RHEL_09_611115 | bool - accounts_password_pam_difok | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83564-5 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-611115 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(b) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_difok - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Enforce for root User ansible.builtin.lineinfile: path: /etc/security/pwquality.conf create: true regexp: '' line: enforce_for_root state: present when: - DISA_STIG_RHEL_09_611060 | bool - accounts_password_pam_enforce_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-86356-3 - DISA-STIG-RHEL-09-611060 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_enforce_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Password Maximum Consecutive Repeating Characters - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ patterns: '*.conf' register: pwquality_conf_d_files when: - DISA_STIG_RHEL_09_611125 | bool - accounts_password_pam_maxrepeat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 - DISA-STIG-RHEL-09-611125 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_maxrepeat - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Password Maximum Consecutive Repeating Characters - Ensure maxrepeat is not set in pwquality.conf.d ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^\s*\bmaxrepeat\b.* state: absent with_items: '{{ pwquality_conf_d_files.files }}' when: - DISA_STIG_RHEL_09_611125 | bool - accounts_password_pam_maxrepeat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 - DISA-STIG-RHEL-09-611125 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_maxrepeat - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Password Maximum Consecutive Repeating Characters - Ensure PAM variable maxrepeat is set accordingly ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*maxrepeat line: maxrepeat = {{ var_password_pam_maxrepeat }} when: - DISA_STIG_RHEL_09_611125 | bool - accounts_password_pam_maxrepeat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83567-8 - DISA-STIG-RHEL-09-611125 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_maxrepeat - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Limit the maximum number of sequential characters in passwords - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ patterns: '*.conf' register: pwquality_conf_d_files when: - accounts_password_pam_maxsequence | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-86444-7 - accounts_password_pam_maxsequence - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Limit the maximum number of sequential characters in passwords - Ensure maxsequence is not set in pwquality.conf.d ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^\s*\bmaxsequence\b.* state: absent with_items: '{{ pwquality_conf_d_files.files }}' when: - accounts_password_pam_maxsequence | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-86444-7 - accounts_password_pam_maxsequence - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Limit the maximum number of sequential characters in passwords - Ensure PAM variable maxsequence is set accordingly ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*maxsequence line: maxsequence = {{ var_password_pam_maxsequence }} when: - accounts_password_pam_maxsequence | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-86444-7 - accounts_password_pam_maxsequence - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ patterns: '*.conf' register: pwquality_conf_d_files when: - DISA_STIG_RHEL_09_611130 | bool - accounts_password_pam_minclass | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 - DISA-STIG-RHEL-09-611130 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_minclass - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Ensure minclass is not set in pwquality.conf.d ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^\s*\bminclass\b.* state: absent with_items: '{{ pwquality_conf_d_files.files }}' when: - DISA_STIG_RHEL_09_611130 | bool - accounts_password_pam_minclass | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 - DISA-STIG-RHEL-09-611130 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_minclass - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Ensure PAM variable minclass is set accordingly ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*minclass line: minclass = {{ var_password_pam_minclass }} when: - DISA_STIG_RHEL_09_611130 | bool - accounts_password_pam_minclass | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83563-7 - DISA-STIG-RHEL-09-611130 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - accounts_password_pam_minclass - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Length - Find pwquality.conf.d files ansible.builtin.find: paths: /etc/security/pwquality.conf.d/ patterns: '*.conf' register: pwquality_conf_d_files when: - DISA_STIG_RHEL_09_611090 | bool - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-611090 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.6 - accounts_password_pam_minlen - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure minlen is not set in pwquality.conf.d ansible.builtin.lineinfile: path: '{{ item.path }}' regexp: ^\s*\bminlen\b.* state: absent with_items: '{{ pwquality_conf_d_files.files }}' when: - DISA_STIG_RHEL_09_611090 | bool - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-611090 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.6 - accounts_password_pam_minlen - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable minlen is set accordingly ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: ^#?\s*minlen line: minlen = {{ var_password_pam_minlen }} when: - DISA_STIG_RHEL_09_611090 | bool - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"libpwquality" in ansible_facts.packages' tags: - CCE-83579-3 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-611090 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.6 - accounts_password_pam_minlen - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Password Hashing Algorithm in /etc/libuser.conf - Set Password Hashing Algorithm in /etc/libuser.conf ansible.builtin.lineinfile: dest: /etc/libuser.conf insertafter: ^\s*\[defaults] regexp: ^#?crypt_style line: crypt_style = {{ var_password_hashing_algorithm_pam }} state: present create: true when: - DISA_STIG_RHEL_09_611135 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - set_password_hashing_algorithm_libuserconf | bool - '"kernel-core" in ansible_facts.packages' - '"libuser" in ansible_facts.packages' tags: - CCE-88865-1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-09-611135 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.2 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - set_password_hashing_algorithm_libuserconf - name: Set Password Hashing Algorithm in /etc/login.defs ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }} state: present create: true when: - DISA_STIG_RHEL_09_611140 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - set_password_hashing_algorithm_logindefs | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-90590-1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-09-611140 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.2 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - set_password_hashing_algorithm_logindefs - name: Set PAM's Password Hashing Algorithm - password-auth - Check if /etc/pam.d/password-auth file is present ansible.builtin.stat: path: /etc/pam.d/password-auth register: result_pam_file_present when: - DISA_STIG_RHEL_09_671025 | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-85946-2 - CJIS-5.6.2.2 - DISA-STIG-RHEL-09-671025 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_passwordauth - name: Set PAM's Password Hashing Algorithm - password-auth - Check the proper remediation for the system block: - name: Set PAM's Password Hashing Algorithm - password-auth - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: Set PAM's Password Hashing Algorithm - password-auth - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect custom profile is used if authselect is present block: - name: Set PAM's Password Hashing Algorithm - password-auth - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - password-auth - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Set PAM's Password Hashing Algorithm - password-auth - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - password-auth - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Set PAM's Password Hashing Algorithm - password-auth - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set PAM's Password Hashing Algorithm - password-auth - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: sufficient - name: Set PAM's Password Hashing Algorithm - password-auth - Check if expected PAM module line is present in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.* state: absent check_mode: true changed_when: false register: result_pam_line_present - name: Set PAM's Password Hashing Algorithm - password-auth - Include or update the PAM module line in {{ pam_file_path }} block: - name: Set PAM's Password Hashing Algorithm - password-auth - Check if required PAM module line is present in {{ pam_file_path }} with different control ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+.*\s+pam_unix.so\s* state: absent check_mode: true changed_when: false register: result_pam_line_other_control_present - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: ^(\s*password\s+).*(\bpam_unix.so.*) replace: \1{{ pam_module_control }} \2 register: result_pam_module_edit when: - result_pam_line_other_control_present.found == 1 - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the required PAM module line is included in {{ pam_file_path }} ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' line: password {{ pam_module_control }} pam_unix.so register: result_pam_module_add when: - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present is defined - result_authselect_present.stat.exists - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 - name: Set PAM's Password Hashing Algorithm - password-auth - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: sufficient - name: Set PAM's Password Hashing Algorithm - password-auth - Check if the required PAM module option is present in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*\s{{ var_password_hashing_algorithm_pam }}\b state: absent check_mode: true changed_when: false register: result_pam_module_set_password_hashing_algorithm_passwordauth_option_present - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the "{{ var_password_hashing_algorithm_pam }}" PAM option for "pam_unix.so" is included in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so.*) line: \1 {{ var_password_hashing_algorithm_pam }} state: present register: result_pam_set_password_hashing_algorithm_passwordauth_add when: - result_pam_module_set_password_hashing_algorithm_passwordauth_option_present.found is defined - result_pam_module_set_password_hashing_algorithm_passwordauth_option_present.found == 0 - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - "(result_pam_set_password_hashing_algorithm_passwordauth_add is defined and result_pam_set_password_hashing_algorithm_passwordauth_add.changed)\n\ \ or (result_pam_set_password_hashing_algorithm_passwordauth_edit is defined and result_pam_set_password_hashing_algorithm_passwordauth_edit.changed)" when: - DISA_STIG_RHEL_09_671025 | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: - CCE-85946-2 - CJIS-5.6.2.2 - DISA-STIG-RHEL-09-671025 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_passwordauth - name: Set PAM's Password Hashing Algorithm - password-auth - Check if /etc/pam.d/password-auth File is Present ansible.builtin.stat: path: /etc/pam.d/password-auth register: result_pam_file_present when: - DISA_STIG_RHEL_09_671025 | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-85946-2 - CJIS-5.6.2.2 - DISA-STIG-RHEL-09-671025 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_passwordauth - name: Set PAM's Password Hashing Algorithm - password-auth - Check The Proper Remediation For The System block: - name: Set PAM's Password Hashing Algorithm - password-auth - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/password-auth - name: Set PAM's Password Hashing Algorithm - password-auth - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect custom profile is used if authselect is present block: - name: Set PAM's Password Hashing Algorithm - password-auth - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - password-auth - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Set PAM's Password Hashing Algorithm - password-auth - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - password-auth - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Set PAM's Password Hashing Algorithm - password-auth - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set PAM's Password Hashing Algorithm - password-auth - Check if "{{ pam_file_path }}" File is Present ansible.builtin.stat: path: '{{ pam_file_path }}' register: pam_file_path_present - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure That Only the Correct Hashing Algorithm Option For pam_unix.so Is Used in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*) replace: \1\2 when: - item != var_password_hashing_algorithm_pam - pam_file_path_present.stat.exists loop: - sha512 - yescrypt - gost_yescrypt - blowfish - sha256 - md5 - bigcrypt register: result_pam_hashing_options_removal - name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_hashing_options_removal is changed when: - DISA_STIG_RHEL_09_671025 | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_passwordauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: - CCE-85946-2 - CJIS-5.6.2.2 - DISA-STIG-RHEL-09-671025 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_passwordauth - name: Set PAM's Password Hashing Algorithm - Check if /etc/pam.d/system-auth file is present ansible.builtin.stat: path: /etc/pam.d/system-auth register: result_pam_file_present when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83581-9 - CJIS-5.6.2.2 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_systemauth - name: Set PAM's Password Hashing Algorithm - Check the proper remediation for the system block: - name: Set PAM's Password Hashing Algorithm - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: Set PAM's Password Hashing Algorithm - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Set PAM's Password Hashing Algorithm - Ensure authselect custom profile is used if authselect is present block: - name: Set PAM's Password Hashing Algorithm - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Set PAM's Password Hashing Algorithm - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Set PAM's Password Hashing Algorithm - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Set PAM's Password Hashing Algorithm - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Set PAM's Password Hashing Algorithm - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set PAM's Password Hashing Algorithm - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: sufficient - name: Set PAM's Password Hashing Algorithm - Check if expected PAM module line is present in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.* state: absent check_mode: true changed_when: false register: result_pam_line_present - name: Set PAM's Password Hashing Algorithm - Include or update the PAM module line in {{ pam_file_path }} block: - name: Set PAM's Password Hashing Algorithm - Check if required PAM module line is present in {{ pam_file_path }} with different control ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+.*\s+pam_unix.so\s* state: absent check_mode: true changed_when: false register: result_pam_line_other_control_present - name: Set PAM's Password Hashing Algorithm - Ensure the correct control for the required PAM module line in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: ^(\s*password\s+).*(\bpam_unix.so.*) replace: \1{{ pam_module_control }} \2 register: result_pam_module_edit when: - result_pam_line_other_control_present.found == 1 - name: Set PAM's Password Hashing Algorithm - Ensure the required PAM module line is included in {{ pam_file_path }} ansible.builtin.lineinfile: dest: '{{ pam_file_path }}' line: password {{ pam_module_control }} pam_unix.so register: result_pam_module_add when: - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1 - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present is defined - result_authselect_present.stat.exists - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 - name: Set PAM's Password Hashing Algorithm - Define a fact for control already filtered in case filters are used ansible.builtin.set_fact: pam_module_control: sufficient - name: Set PAM's Password Hashing Algorithm - Check if the required PAM module option is present in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*\s{{ var_password_hashing_algorithm_pam }}\b state: absent check_mode: true changed_when: false register: result_pam_module_set_password_hashing_algorithm_systemauth_option_present - name: Set PAM's Password Hashing Algorithm - Ensure the "{{ var_password_hashing_algorithm_pam }}" PAM option for "pam_unix.so" is included in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so.*) line: \1 {{ var_password_hashing_algorithm_pam }} state: present register: result_pam_set_password_hashing_algorithm_systemauth_add when: - result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found is defined - result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found == 0 - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - "(result_pam_set_password_hashing_algorithm_systemauth_add is defined and result_pam_set_password_hashing_algorithm_systemauth_add.changed)\n\ \ or (result_pam_set_password_hashing_algorithm_systemauth_edit is defined and result_pam_set_password_hashing_algorithm_systemauth_edit.changed)" when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: - CCE-83581-9 - CJIS-5.6.2.2 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_systemauth - name: Set PAM's Password Hashing Algorithm - Check if /etc/pam.d/system-auth File is Present ansible.builtin.stat: path: /etc/pam.d/system-auth register: result_pam_file_present when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' tags: - CCE-83581-9 - CJIS-5.6.2.2 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_systemauth - name: Set PAM's Password Hashing Algorithm - Check The Proper Remediation For The System block: - name: Set PAM's Password Hashing Algorithm - Define the PAM file to be edited as a local fact ansible.builtin.set_fact: pam_file_path: /etc/pam.d/system-auth - name: Set PAM's Password Hashing Algorithm - Check if system relies on authselect tool ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present - name: Set PAM's Password Hashing Algorithm - Ensure authselect custom profile is used if authselect is present block: - name: Set PAM's Password Hashing Algorithm - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Set PAM's Password Hashing Algorithm - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Set PAM's Password Hashing Algorithm - Get authselect current profile ansible.builtin.shell: cmd: authselect current -r | awk '{ print $1 }' register: result_authselect_profile changed_when: false when: - result_authselect_check_cmd is success - name: Set PAM's Password Hashing Algorithm - Define the current authselect profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: '{{ result_authselect_profile.stdout }}' when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is match("custom/") - name: Set PAM's Password Hashing Algorithm - Define the new authselect custom profile as a local fact ansible.builtin.set_fact: authselect_current_profile: '{{ result_authselect_profile.stdout }}' authselect_custom_profile: custom/hardening when: - result_authselect_profile is not skipped - result_authselect_profile.stdout is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Get authselect current features to also enable them in the custom profile ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Check if any custom profile with the same name was already created ansible.builtin.stat: path: /etc/authselect/{{ authselect_custom_profile }} register: result_authselect_custom_profile_present changed_when: false when: - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on the current profile ansible.builtin.command: cmd: authselect create-profile hardening -b {{ authselect_current_profile }} when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is not match("^(custom/|local)") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on sssd profile ansible.builtin.command: cmd: authselect create-profile hardening -b sssd when: - result_authselect_profile is not skipped - result_authselect_check_cmd is success - authselect_current_profile is match("local") - not result_authselect_custom_profile_present.stat.exists - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=before-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile is selected ansible.builtin.command: cmd: authselect select {{ authselect_custom_profile }} register: result_pam_authselect_select_profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - authselect_current_profile is not match("custom/") - authselect_custom_profile is not match(authselect_current_profile) - name: Set PAM's Password Hashing Algorithm - Restore the authselect features in the custom profile ansible.builtin.command: cmd: authselect enable-feature {{ item }} loop: '{{ result_authselect_features.stdout_lines }}' register: result_pam_authselect_restore_features when: - result_authselect_profile is not skipped - result_authselect_features is not skipped - result_pam_authselect_select_profile is not skipped - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b --backup=after-hardening-custom-profile when: - result_authselect_check_cmd is success - result_authselect_profile is not skipped - result_pam_authselect_restore_features is not skipped - name: Set PAM's Password Hashing Algorithm - Change the PAM file to be edited according to the custom authselect profile ansible.builtin.set_fact: pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }} when: - authselect_custom_profile is defined when: - result_authselect_present.stat.exists - name: Set PAM's Password Hashing Algorithm - Check if "{{ pam_file_path }}" File is Present ansible.builtin.stat: path: '{{ pam_file_path }}' register: pam_file_path_present - name: Set PAM's Password Hashing Algorithm - Ensure That Only the Correct Hashing Algorithm Option For pam_unix.so Is Used in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*) replace: \1\2 when: - item != var_password_hashing_algorithm_pam - pam_file_path_present.stat.exists loop: - sha512 - yescrypt - gost_yescrypt - blowfish - sha256 - md5 - bigcrypt register: result_pam_hashing_options_removal - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - result_pam_hashing_options_removal is changed when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - set_password_hashing_algorithm_systemauth | bool - '"kernel-core" in ansible_facts.packages' - '"pam" in ansible_facts.packages' - result_pam_file_present.stat.exists tags: - CCE-83581-9 - CJIS-5.6.2.2 - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - set_password_hashing_algorithm_systemauth - name: Set Account Expiration Following Inactivity ansible.builtin.lineinfile: create: true dest: /etc/default/useradd regexp: ^INACTIVE line: INACTIVE={{ var_account_disable_post_pw_expiration }} when: - DISA_STIG_RHEL_09_411050 | bool - account_disable_post_pw_expiration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83627-0 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-411050 - NIST-800-171-3.5.6 - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - NIST-800-53-IA-4(e) - PCI-DSS-Req-8.1.4 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.6 - account_disable_post_pw_expiration - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Password Maximum Age ansible.builtin.lineinfile: create: true dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} when: - DISA_STIG_RHEL_09_411010 | bool - accounts_maximum_age_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83606-4 - CJIS-5.6.2.1 - DISA-STIG-RHEL-09-411010 - NIST-800-171-3.5.6 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.9 - accounts_maximum_age_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Password Minimum Age ansible.builtin.lineinfile: create: true dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }} when: - DISA_STIG_RHEL_09_611075 | bool - accounts_minimum_age_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83610-6 - CJIS-5.6.2.1.1 - DISA-STIG-RHEL-09-611075 - NIST-800-171-3.5.8 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - accounts_minimum_age_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Collect users with not correct maximum time period between password changes ansible.builtin.command: cmd: awk -F':' '(/^[^:]+:[^!*]/ && ($5 > {{ var_accounts_maximum_age_login_defs }} || $5 == "")) {print $1}' /etc/shadow register: user_names changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_411015 | bool - accounts_password_set_max_life_existing | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86031-2 - DISA-STIG-RHEL-09-411015 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.9 - accounts_password_set_max_life_existing - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Change the maximum time period between password changes ansible.builtin.user: user: '{{ item }}' password_expire_max: '{{ var_accounts_maximum_age_login_defs }}' with_items: '{{ user_names.stdout_lines }}' when: - DISA_STIG_RHEL_09_411015 | bool - accounts_password_set_max_life_existing | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - user_names.stdout_lines | length > 0 tags: - CCE-86031-2 - DISA-STIG-RHEL-09-411015 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.9 - accounts_password_set_max_life_existing - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Collect users with not correct minimum time period between password changes ansible.builtin.command: 'awk -F'':'' ''(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}'' /etc/shadow ' register: user_names changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_611080 | bool - accounts_password_set_min_life_existing | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-89069-9 - DISA-STIG-RHEL-09-611080 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - accounts_password_set_min_life_existing - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Change the minimum time period between password changes ansible.builtin.command: 'chage -m {{ var_accounts_minimum_age_login_defs }} {{ item }} ' with_items: '{{ user_names.stdout_lines }}' when: - DISA_STIG_RHEL_09_611080 | bool - accounts_password_set_min_life_existing | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - user_names.stdout_lines | length > 0 tags: - CCE-89069-9 - DISA-STIG-RHEL-09-611080 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - accounts_password_set_min_life_existing - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Existing Passwords Warning Age - Collect Users With Incorrect Number of Days of Warning Before Password Expires ansible.builtin.command: cmd: awk -F':' '(($6 < {{ var_accounts_password_warn_age_login_defs }} || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow register: result_pass_warn_age_user_names changed_when: false when: - accounts_password_set_warn_age_existing | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86915-6 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.9 - accounts_password_set_warn_age_existing - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set Existing Passwords Warning Age - Ensure the Number of Days of Warning Before Password Expires ansible.builtin.command: cmd: chage --warndays {{ var_accounts_password_warn_age_login_defs }} {{ item }} with_items: '{{ result_pass_warn_age_user_names.stdout_lines }}' when: - accounts_password_set_warn_age_existing | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_pass_warn_age_user_names is not skipped and result_pass_warn_age_user_names.stdout_lines | length > 0 tags: - CCE-86915-6 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.9 - accounts_password_set_warn_age_existing - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set Password Warning Age ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^PASS_WARN_AGE *[0-9]* state: present line: PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }} create: true when: - accounts_password_warn_age_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83609-8 - NIST-800-171-3.5.8 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.9 - accounts_password_warn_age_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Collect users with not correct INACTIVE parameter set ansible.builtin.command: cmd: awk -F':' '(($7 > {{ var_account_disable_post_pw_expiration }} || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow register: user_names changed_when: false when: - accounts_set_post_pw_existing | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86759-8 - NIST-800-171-3.5.6 - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - NIST-800-53-IA-4(e) - PCI-DSS-Req-8.1.4 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.6 - accounts_set_post_pw_existing - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Change the period of inactivity ansible.builtin.command: cmd: chage --inactive {{ var_account_disable_post_pw_expiration }} {{ item }} with_items: '{{ user_names.stdout_lines }}' when: - accounts_set_post_pw_existing | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - user_names is not skipped and user_names.stdout_lines | length > 0 tags: - CCE-86759-8 - NIST-800-171-3.5.6 - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - NIST-800-53-IA-4(e) - PCI-DSS-Req-8.1.4 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.6 - accounts_set_post_pw_existing - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Prevent Login to Accounts With Empty Password - Check if system relies on authselect ansible.builtin.stat: path: /usr/bin/authselect register: result_authselect_present when: - DISA_STIG_RHEL_09_611025 | bool - configure_strategy | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_empty_passwords | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83611-4 - CJIS-5.5.2 - DISA-STIG-RHEL-09-611025 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.1 - configure_strategy - high_severity - low_complexity - medium_disruption - no_empty_passwords - no_reboot_needed - name: Prevent Login to Accounts With Empty Password - Remediate using authselect block: - name: Prevent Login to Accounts With Empty Password - Check integrity of authselect current profile ansible.builtin.command: cmd: authselect check register: result_authselect_check_cmd changed_when: false check_mode: false failed_when: false - name: Prevent Login to Accounts With Empty Password - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - ansible_check_mode or result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact. - It is not recommended to manually edit the PAM files when authselect tool is available. - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended. success_msg: - authselect integrity check passed - name: Prevent Login to Accounts With Empty Password - Get authselect current features ansible.builtin.shell: cmd: authselect current | tail -n+3 | awk '{ print $2 }' register: result_authselect_features changed_when: false check_mode: false when: - result_authselect_check_cmd is success - name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok" feature is enabled using authselect tool ansible.builtin.command: cmd: authselect enable-feature without-nullok register: result_authselect_enable_feature_cmd when: - result_authselect_check_cmd is success - result_authselect_features.stdout is not search("without-nullok") - name: Prevent Login to Accounts With Empty Password - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b when: - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: - DISA_STIG_RHEL_09_611025 | bool - configure_strategy | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_empty_passwords | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_authselect_present.stat.exists tags: - CCE-83611-4 - CJIS-5.5.2 - DISA-STIG-RHEL-09-611025 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.1 - configure_strategy - high_severity - low_complexity - medium_disruption - no_empty_passwords - no_reboot_needed - name: Prevent Login to Accounts With Empty Password - Remediate directly editing PAM files ansible.builtin.replace: dest: '{{ item }}' regexp: nullok loop: - /etc/pam.d/system-auth - /etc/pam.d/password-auth when: - DISA_STIG_RHEL_09_611025 | bool - configure_strategy | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_empty_passwords | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - not result_authselect_present.stat.exists tags: - CCE-83611-4 - CJIS-5.5.2 - DISA-STIG-RHEL-09-611025 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.1 - configure_strategy - high_severity - low_complexity - medium_disruption - no_empty_passwords - no_reboot_needed - name: Collect users with no password ansible.builtin.command: 'awk -F: ''!$2 {print $1}'' /etc/shadow ' register: users_nopasswd changed_when: false when: - DISA_STIG_RHEL_09_611155 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_empty_passwords_etc_shadow | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-85972-8 - DISA-STIG-RHEL-09-611155 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.2 - high_severity - low_complexity - low_disruption - no_empty_passwords_etc_shadow - no_reboot_needed - restrict_strategy - name: Lock users with no password ansible.builtin.command: 'passwd -l {{ item }} ' with_items: '{{ users_nopasswd.stdout_lines }}' when: - DISA_STIG_RHEL_09_611155 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_empty_passwords_etc_shadow | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0 tags: - CCE-85972-8 - DISA-STIG-RHEL-09-611155 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.2 - high_severity - low_complexity - low_disruption - no_empty_passwords_etc_shadow - no_reboot_needed - restrict_strategy - name: Get all /etc/passwd file entries ansible.builtin.getent: database: passwd split: ':' when: - DISA_STIG_RHEL_09_411100 | bool - accounts_no_uid_except_zero | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83624-7 - DISA-STIG-RHEL-09-411100 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-6(5) - NIST-800-53-IA-2 - NIST-800-53-IA-4(b) - PCI-DSS-Req-8.5 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.1 - accounts_no_uid_except_zero - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - name: Lock the password of the user accounts other than root with uid 0 ansible.builtin.command: passwd -l {{ item.key }} loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'') | list }}' when: - DISA_STIG_RHEL_09_411100 | bool - accounts_no_uid_except_zero | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.value.1 == '0' tags: - CCE-83624-7 - DISA-STIG-RHEL-09-411100 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-6(5) - NIST-800-53-IA-2 - NIST-800-53-IA-4(b) - PCI-DSS-Req-8.5 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.1 - accounts_no_uid_except_zero - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - name: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty - Ensure {{ var_pam_wheel_group_for_su }} Group Exists ansible.builtin.group: name: '{{ var_pam_wheel_group_for_su }}' state: present when: - ensure_pam_wheel_group_empty | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86072-6 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - ensure_pam_wheel_group_empty - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty - Ensure {{ var_pam_wheel_group_for_su }} Group is Empty ansible.builtin.lineinfile: path: /etc/group regexp: ^({{ var_pam_wheel_group_for_su }}:[^:]+:[0-9]+:).*$ line: \1 backrefs: true when: - ensure_pam_wheel_group_empty | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86072-6 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - ensure_pam_wheel_group_empty - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd ansible.builtin.getent: database: passwd split: ':' when: - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_password_auth_for_systemaccounts | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86113-8 - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.2 - low_complexity - medium_disruption - medium_severity - no_password_auth_for_systemaccounts - no_reboot_needed - restrict_strategy - name: Ensure that System Accounts Are Locked - Create local_users Variable From getent_passwd Facts ansible.builtin.set_fact: local_users: '{{ ansible_facts.getent_passwd | dict2items }}' when: - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_password_auth_for_systemaccounts | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86113-8 - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.2 - low_complexity - medium_disruption - medium_severity - no_password_auth_for_systemaccounts - no_reboot_needed - restrict_strategy - name: Ensure that System Accounts Are Locked - Lock System Accounts ansible.builtin.user: name: '{{ item.key }}' password_lock: true loop: '{{ local_users }}' when: - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_password_auth_for_systemaccounts | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.value[1]|int < 1000 - item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody'] tags: - CCE-86113-8 - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.2 - low_complexity - medium_disruption - medium_severity - no_password_auth_for_systemaccounts - no_reboot_needed - restrict_strategy - name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local Users From /etc/passwd ansible.builtin.getent: database: passwd split: ':' when: - DISA_STIG_RHEL_09_411035 | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - no_shelllogin_for_systemaccounts | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83623-9 - DISA-STIG-RHEL-09-411035 - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.2 - low_complexity - medium_disruption - medium_severity - no_reboot_needed - no_shelllogin_for_systemaccounts - restrict_strategy - name: Ensure that System Accounts Do Not Run a Shell Upon Login - Create local_users Variable From getent_passwd Facts ansible.builtin.set_fact: local_users: '{{ ansible_facts.getent_passwd | dict2items }}' when: - DISA_STIG_RHEL_09_411035 | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - no_shelllogin_for_systemaccounts | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83623-9 - DISA-STIG-RHEL-09-411035 - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.2 - low_complexity - medium_disruption - medium_severity - no_reboot_needed - no_shelllogin_for_systemaccounts - restrict_strategy - name: Ensure that System Accounts Do Not Run a Shell Upon Login - Disable Login Shell for System Accounts ansible.builtin.user: name: '{{ item.key }}' shell: /sbin/nologin loop: '{{ local_users }}' when: - DISA_STIG_RHEL_09_411035 | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - no_shelllogin_for_systemaccounts | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.key not in ['root'] - item.value[1]|int < 1000 - item.value[5] not in ['/sbin/shutdown', '/sbin/halt', '/bin/sync'] tags: - CCE-83623-9 - DISA-STIG-RHEL-09-411035 - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.2 - low_complexity - medium_disruption - medium_severity - no_reboot_needed - no_shelllogin_for_systemaccounts - restrict_strategy - name: Enforce Usage of pam_wheel with Group Parameter for su Authentication - Add the group to the /etc/pam.d/su file ansible.builtin.lineinfile: path: /etc/pam.d/su state: present regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$ line: auth required pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su }} when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - use_pam_wheel_group_for_su | bool - '"pam" in ansible_facts.packages' tags: - CCE-86065-0 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - use_pam_wheel_group_for_su - name: Correct any occurrence of TMOUT in /etc/profile ansible.builtin.replace: path: /etc/profile regexp: ^[^#].*TMOUT=.* replace: typeset -xr TMOUT={{ var_accounts_tmout }} register: profile_replaced when: - DISA_STIG_RHEL_09_412035 | bool - accounts_tmout | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83633-8 - DISA-STIG-RHEL-09-412035 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSSv4-8.6 - PCI-DSSv4-8.6.1 - accounts_tmout - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set Interactive Session Timeout ansible.builtin.lineinfile: path: /etc/profile.d/tmout.sh create: true regexp: TMOUT= line: typeset -xr TMOUT={{ var_accounts_tmout }} state: present when: - DISA_STIG_RHEL_09_412035 | bool - accounts_tmout | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83633-8 - DISA-STIG-RHEL-09-412035 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSSv4-8.6 - PCI-DSSv4-8.6.1 - accounts_tmout - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Group-Owned By The Primary Group - Get interactive users from passwd file ansible.builtin.getent: database: passwd register: passwd_entries when: - accounts_user_dot_group_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87037-8 - accounts_user_dot_group_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Group-Owned By The Primary Group - Create list of interactive users with GID and home directory ansible.builtin.set_fact: interactive_users: '{{ interactive_users | default([]) + [{''home'': item.value[4], ''gid'': item.value[2]}] }}' loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}' when: - accounts_user_dot_group_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.value[2] | int >= 1000 | int - item.value[2] | int != 65534 | int - item.value[4] != "" tags: - CCE-87037-8 - accounts_user_dot_group_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Group-Owned By The Primary Group - Find dot files in interactive user home directories ansible.builtin.find: paths: '{{ item.home }}' patterns: .* file_type: file hidden: true depth: 1 follow: false register: user_dotfiles loop: '{{ interactive_users | default([]) }}' failed_when: false when: - accounts_user_dot_group_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.home != "" tags: - CCE-87037-8 - accounts_user_dot_group_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Group-Owned By The Primary Group - Set correct group ownership for user initialization files ansible.builtin.file: path: '{{ item.1.path }}' group: '{{ item.0.item.gid }}' follow: false loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}' when: - accounts_user_dot_group_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.0 is not skipped - item.1.path is defined tags: - CCE-87037-8 - accounts_user_dot_group_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Not Run World-Writable Programs - Initialize variables ansible.builtin.set_fact: home_user_dirs: [] world_writable_files: [] when: - DISA_STIG_RHEL_09_411115 | bool - accounts_user_dot_no_world_writable_programs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 - accounts_user_dot_no_world_writable_programs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Not Run World-Writable Programs - Get user's home dir list ansible.builtin.getent: database: passwd register: passwd_database when: - DISA_STIG_RHEL_09_411115 | bool - accounts_user_dot_no_world_writable_programs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 - accounts_user_dot_no_world_writable_programs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Not Run World-Writable Programs - Fill home_user_dirs ansible.builtin.set_fact: home_user_dirs: '{{ home_user_dirs + [item.data[4]] }}' when: - DISA_STIG_RHEL_09_411115 | bool - accounts_user_dot_no_world_writable_programs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.data[4] is defined and item.data[2]|int >= 1000 and item.data[2]|int != 65534 with_items: '{{ passwd_database.ansible_facts.getent_passwd | dict2items(key_name=''user'', value_name=''data'')}}' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 - accounts_user_dot_no_world_writable_programs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Not Run World-Writable Programs - Get world writable files ansible.builtin.shell: 'find / -xdev -type f -perm -0002 2> /dev/null ' register: world_writable_files changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_411115 | bool - accounts_user_dot_no_world_writable_programs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 - accounts_user_dot_no_world_writable_programs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Not Run World-Writable Programs - Find referenced_files in init files ansible.builtin.find: paths: '{{ home_user_dirs }}' contains: '{{ item }}' hidden: true read_whole_file: true recurse: true with_items: '{{ world_writable_files.stdout_lines }}' register: referenced_files when: - DISA_STIG_RHEL_09_411115 | bool - accounts_user_dot_no_world_writable_programs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 - accounts_user_dot_no_world_writable_programs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Not Run World-Writable Programs - Remove world writable permissions ansible.builtin.file: path: '{{ item.item }}' mode: o-w when: - DISA_STIG_RHEL_09_411115 | bool - accounts_user_dot_no_world_writable_programs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.matched > 0 with_items: '{{ referenced_files.results }}' tags: - CCE-87451-1 - DISA-STIG-RHEL-09-411115 - accounts_user_dot_no_world_writable_programs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Owned By the Primary User - Get interactive users from passwd file ansible.builtin.getent: database: passwd register: passwd_entries when: - accounts_user_dot_user_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87038-6 - accounts_user_dot_user_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Owned By the Primary User - Create list of interactive users with UID and home directory ansible.builtin.set_fact: interactive_users: '{{ interactive_users | default([]) + [{''uid'': item.value[1], ''home'': item.value[4], ''username'': item.key}] }}' loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}' when: - accounts_user_dot_user_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.value[1] | int >= 1000 | int - item.value[1] | int != 65534 | int - item.value[4] != "" tags: - CCE-87038-6 - accounts_user_dot_user_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Owned By the Primary User - Find dot files in interactive user home directories ansible.builtin.find: paths: '{{ item.home }}' patterns: .* file_type: file hidden: true depth: 1 follow: false register: user_dotfiles loop: '{{ interactive_users | default([]) }}' failed_when: false when: - accounts_user_dot_user_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.home != "" tags: - CCE-87038-6 - accounts_user_dot_user_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: User Initialization Files Must Be Owned By the Primary User - Set correct ownership for user initialization files ansible.builtin.file: path: '{{ item.1.path }}' owner: '{{ item.0.item.username }}' follow: false loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}' when: - accounts_user_dot_user_ownership | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.0 is not skipped - item.0 is not failed - item.0.item is defined - item.0.item.username is defined - item.1.path is defined tags: - CCE-87038-6 - accounts_user_dot_user_ownership - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd split: ':' when: - DISA_STIG_RHEL_09_411065 | bool - accounts_user_interactive_home_directory_exists | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83639-5 - DISA-STIG-RHEL-09-411065 - accounts_user_interactive_home_directory_exists - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Create local_users variable from the getent output ansible.builtin.set_fact: local_users: '{{ ansible_facts.getent_passwd|dict2items }}' when: - DISA_STIG_RHEL_09_411065 | bool - accounts_user_interactive_home_directory_exists | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83639-5 - DISA-STIG-RHEL-09-411065 - accounts_user_interactive_home_directory_exists - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure interactive users have a home directory exists ansible.builtin.user: name: '{{ item.key }}' create_home: true loop: '{{ local_users }}' when: - DISA_STIG_RHEL_09_411065 | bool - accounts_user_interactive_home_directory_exists | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - item.value[1]|int >= 1000 - item.value[1]|int != 65534 tags: - CCE-83639-5 - DISA-STIG-RHEL-09-411065 - accounts_user_interactive_home_directory_exists - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Gather User Info ansible.builtin.getent: database: passwd tags: - CCE-83637-9 - file_permission_user_init_files - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - file_permission_user_init_files | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Find Init Files ansible.builtin.find: paths: '{{ item.value[4] }}' pattern: '{{ var_user_initialization_files_regex }}' hidden: true use_regex: true with_dict: '{{ ansible_facts.getent_passwd }}' when: - file_permission_user_init_files | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - item.value[4] != "/sbin/nologin" - item.key not in ["nobody", "nfsnobody"] - item.value[1] | int >= 1000 register: found_init_files tags: - CCE-83637-9 - file_permission_user_init_files - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Fix Init Files Permissions ansible.builtin.file: path: '{{ item.1.path }}' mode: u-s,g-wxs,o= loop: '{{ q(''ansible.builtin.subelements'', found_init_files.results, ''files'', {''skip_missing'': True}) }}' tags: - CCE-83637-9 - file_permission_user_init_files - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - file_permission_user_init_files | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Get all local users from /etc/passwd ansible.builtin.getent: database: passwd split: ':' tags: - CCE-83634-6 - DISA-STIG-RHEL-09-232050 - file_permissions_home_directories - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232050 | bool - file_permissions_home_directories | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Create local_users variable from the getent output ansible.builtin.set_fact: local_users: '{{ ansible_facts.getent_passwd|dict2items }}' tags: - CCE-83634-6 - DISA-STIG-RHEL-09-232050 - file_permissions_home_directories - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232050 | bool - file_permissions_home_directories | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Test for existence home directories to avoid creating them. ansible.builtin.stat: path: '{{ item.value[4] }}' register: path_exists loop: '{{ local_users }}' when: - DISA_STIG_RHEL_09_232050 | bool - file_permissions_home_directories | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - item.value[1]|int >= 1000 - item.value[1]|int != 65534 - item.value[4] != "/" tags: - CCE-83634-6 - DISA-STIG-RHEL-09-232050 - file_permissions_home_directories - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure interactive local users have proper permissions on their respective home directories ansible.builtin.file: path: '{{ item.0.value[4] }}' mode: u-s,g-w-s,o=- follow: false recurse: false loop: '{{ local_users|zip(path_exists.results)|list }}' when: - DISA_STIG_RHEL_09_232050 | bool - file_permissions_home_directories | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - item.1.stat is defined and item.1.stat.exists tags: - CCE-83634-6 - DISA-STIG-RHEL-09-232050 - file_permissions_home_directories - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Get root paths which are not symbolic links ansible.builtin.stat: path: '{{ item }}' changed_when: false failed_when: false register: root_paths with_items: '{{ ansible_env.PATH.split('':'') }}' tags: - CCE-83643-7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(a) - accounts_root_path_dirs_no_write - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - accounts_root_path_dirs_no_write | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Disable writability to root directories ansible.builtin.file: path: '{{ item.item }}' mode: g-w,o-w with_items: '{{ root_paths.results }}' when: - accounts_root_path_dirs_no_write | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - root_paths.results is defined - item.stat.exists - not item.stat.islnk tags: - CCE-83643-7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(a) - accounts_root_path_dirs_no_write - low_complexity - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Check if umask in /etc/bashrc is already set ansible.builtin.lineinfile: path: /etc/bashrc regexp: ^[^#]*\bumask\s+\d+$ state: absent check_mode: true changed_when: false register: umask_replace when: - DISA_STIG_RHEL_09_412055 | bool - accounts_umask_etc_bashrc | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"bash" in ansible_facts.packages' tags: - CCE-83644-5 - DISA-STIG-RHEL-09-412055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_bashrc - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Replace user umask in /etc/bashrc ansible.builtin.replace: path: /etc/bashrc regexp: ^([^#]*\b)umask\s+\d+$ replace: \g<1>umask {{ var_accounts_user_umask }} when: - DISA_STIG_RHEL_09_412055 | bool - accounts_umask_etc_bashrc | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"bash" in ansible_facts.packages' - umask_replace.found > 0 tags: - CCE-83644-5 - DISA-STIG-RHEL-09-412055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_bashrc - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure the Default umask is Appended Correctly ansible.builtin.lineinfile: create: true path: /etc/bashrc line: umask {{ var_accounts_user_umask }} when: - DISA_STIG_RHEL_09_412055 | bool - accounts_umask_etc_bashrc | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"bash" in ansible_facts.packages' - umask_replace.found == 0 tags: - CCE-83644-5 - DISA-STIG-RHEL-09-412055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_bashrc - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Check if UMASK is already set ansible.builtin.lineinfile: path: /etc/login.defs regexp: ^(\s*)UMASK\s+.* state: absent check_mode: true changed_when: false register: result_umask_is_set when: - DISA_STIG_RHEL_09_412065 | bool - accounts_umask_etc_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83647-8 - DISA-STIG-RHEL-09-412065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Replace user UMASK in /etc/login.defs ansible.builtin.replace: path: /etc/login.defs regexp: ^(\s*)UMASK(\s+).* replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }} when: - DISA_STIG_RHEL_09_412065 | bool - accounts_umask_etc_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' - result_umask_is_set.found > 0 tags: - CCE-83647-8 - DISA-STIG-RHEL-09-412065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure the Default UMASK is Appended Correctly ansible.builtin.lineinfile: create: true path: /etc/login.defs line: UMASK {{ var_accounts_user_umask }} when: - DISA_STIG_RHEL_09_412065 | bool - accounts_umask_etc_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"shadow-utils" in ansible_facts.packages' - result_umask_is_set.found == 0 tags: - CCE-83647-8 - DISA-STIG-RHEL-09-412065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure the Default Umask is Set Correctly in /etc/profile - Locate Profile Configuration Files Where umask Is Defined ansible.builtin.find: paths: - /etc/profile.d patterns: - sh.local - '*.sh' contains: ^[\s]*umask\s+\d+ register: result_profile_d_files when: - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90828-5 - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_profile - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure the Default Umask is Set Correctly in /etc/profile - Replace Existing umask Value in Files From /etc/profile.d ansible.builtin.replace: path: '{{ item.path }}' regexp: ^(\s*)umask\s+\d+ replace: \1umask {{ var_accounts_user_umask }} loop: '{{ result_profile_d_files.files }}' register: result_umask_replaced_profile_d when: - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - result_profile_d_files.matched tags: - CCE-90828-5 - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_profile - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Is Set in /etc/profile if Not Already Set Elsewhere ansible.builtin.lineinfile: create: true mode: 420 path: /etc/profile line: umask {{ var_accounts_user_umask }} when: - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - not result_profile_d_files.matched tags: - CCE-90828-5 - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_profile - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Value For All Existing umask Definition in /etc/profile ansible.builtin.replace: path: /etc/profile regexp: ^(\s*)umask\s+\d+ replace: \1umask {{ var_accounts_user_umask }} register: result_umask_replaced_profile when: - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90828-5 - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_profile - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set the file_groupowner_grub2_cfg_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_grub2_cfg_newgroup: '0' when: - DISA_STIG_RHEL_09_212025 | bool - configure_strategy | bool - file_groupowner_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83848-2 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-212025 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /boot/grub2/grub.cfg ansible.builtin.stat: path: /boot/grub2/grub.cfg register: file_exists when: - DISA_STIG_RHEL_09_212025 | bool - configure_strategy | bool - file_groupowner_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83848-2 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-212025 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /boot/grub2/grub.cfg ansible.builtin.file: path: /boot/grub2/grub.cfg follow: false group: '{{ file_groupowner_grub2_cfg_newgroup }}' when: - DISA_STIG_RHEL_09_212025 | bool - configure_strategy | bool - file_groupowner_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83848-2 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-212025 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_user_cfg_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_user_cfg_newgroup: '0' when: - configure_strategy | bool - file_groupowner_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86010-6 - CJIS-5.5.2.2 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /boot/grub2/user.cfg ansible.builtin.stat: path: /boot/grub2/user.cfg register: file_exists when: - configure_strategy | bool - file_groupowner_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86010-6 - CJIS-5.5.2.2 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /boot/grub2/user.cfg ansible.builtin.file: path: /boot/grub2/user.cfg follow: false group: '{{ file_groupowner_user_cfg_newgroup }}' when: - configure_strategy | bool - file_groupowner_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86010-6 - CJIS-5.5.2.2 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_grub2_cfg_newown variable if represented by uid ansible.builtin.set_fact: file_owner_grub2_cfg_newown: '0' when: - DISA_STIG_RHEL_09_212030 | bool - configure_strategy | bool - file_owner_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83845-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-212030 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /boot/grub2/grub.cfg ansible.builtin.stat: path: /boot/grub2/grub.cfg register: file_exists when: - DISA_STIG_RHEL_09_212030 | bool - configure_strategy | bool - file_owner_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83845-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-212030 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /boot/grub2/grub.cfg ansible.builtin.file: path: /boot/grub2/grub.cfg follow: false owner: '{{ file_owner_grub2_cfg_newown }}' when: - DISA_STIG_RHEL_09_212030 | bool - configure_strategy | bool - file_owner_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83845-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-212030 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_user_cfg_newown variable if represented by uid ansible.builtin.set_fact: file_owner_user_cfg_newown: '0' when: - configure_strategy | bool - file_owner_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86016-3 - CJIS-5.5.2.2 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /boot/grub2/user.cfg ansible.builtin.stat: path: /boot/grub2/user.cfg register: file_exists when: - configure_strategy | bool - file_owner_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86016-3 - CJIS-5.5.2.2 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /boot/grub2/user.cfg ansible.builtin.file: path: /boot/grub2/user.cfg follow: false owner: '{{ file_owner_user_cfg_newown }}' when: - configure_strategy | bool - file_owner_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86016-3 - CJIS-5.5.2.2 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /boot/grub2/grub.cfg ansible.builtin.stat: path: /boot/grub2/grub.cfg register: file_exists when: - configure_strategy | bool - file_permissions_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-83846-6 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/grub.cfg ansible.builtin.file: path: /boot/grub2/grub.cfg mode: u-xs,g-xwrs,o-xwrt when: - configure_strategy | bool - file_permissions_grub2_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83846-6 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /boot/grub2/user.cfg ansible.builtin.stat: path: /boot/grub2/user.cfg register: file_exists when: - configure_strategy | bool - file_permissions_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) tags: - CCE-86025-4 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/user.cfg ansible.builtin.file: path: /boot/grub2/user.cfg mode: u-xs,g-xwrs,o-xwrt when: - configure_strategy | bool - file_permissions_user_cfg | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages ) - not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86025-4 - NIST-800-171-3.4.5 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_user_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group - Get IncludeConfig directive ansible.builtin.shell: 'set -o pipefail grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true ' register: rsyslog_old_inc changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group - Get include files directives ansible.builtin.shell: 'set -o pipefail awk ''/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}'' {{ rsyslog_etc_config }} || true ' register: rsyslog_new_inc changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group - Aggregate rsyslog includes ansible.builtin.set_fact: include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group - List all config files ansible.builtin.find: paths: '{{ item | dirname }}' patterns: '{{ item | basename }}' hidden: false follow: true loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - include_config_output is defined register: rsyslog_config_files failed_when: false changed_when: false tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old format ansible.builtin.shell: 'set -o pipefail grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \ awk ''{print $NF}'' | \ sed -e ''s/^-//'' || true ' loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_old changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new format ansible.builtin.shell: 'set -o pipefail grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \ grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \ grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \ tr -d "\""|| true ' loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_new changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found ansible.builtin.set_fact: log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results | map(attribute=''stdout_lines'') | list | flatten | unique }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute ansible.builtin.file: path: '{{ item }}' group: root state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_groupownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83834-2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_groupownership - name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Get IncludeConfig directive ansible.builtin.shell: 'set -o pipefail grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true ' register: rsyslog_old_inc changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Get include files directives ansible.builtin.shell: 'set -o pipefail awk ''/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}'' {{ rsyslog_etc_config }} || true ' register: rsyslog_new_inc changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Aggregate rsyslog includes ansible.builtin.set_fact: include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - List all config files ansible.builtin.find: paths: '{{ item | dirname }}' patterns: '{{ item | basename }}' hidden: false follow: true loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - include_config_output is defined register: rsyslog_config_files failed_when: false changed_when: false tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format ansible.builtin.shell: 'set -o pipefail grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \ awk ''{print $NF}'' | \ sed -e ''s/^-//'' || true ' loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_old changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format ansible.builtin.shell: 'set -o pipefail grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \ grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \ grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \ tr -d "\""|| true ' loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_new changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found ansible.builtin.set_fact: log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results | map(attribute=''stdout_lines'') | list | flatten | unique }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute ansible.builtin.file: path: '{{ item }}' owner: root state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_ownership | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83946-4 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_ownership - name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts ansible.builtin.set_fact: rsyslog_etc_config: /etc/rsyslog.conf when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive ansible.builtin.shell: 'set -o pipefail grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true ' register: rsyslog_old_inc changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions - Get include files directives ansible.builtin.shell: 'set -o pipefail awk ''/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}'' {{ rsyslog_etc_config }} || true ' register: rsyslog_new_inc changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes ansible.builtin.set_fact: include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions - List all config files ansible.builtin.find: paths: '{{ item | dirname }}' patterns: '{{ item | basename }}' hidden: false follow: true loop: '{{ include_config_output | list + [rsyslog_etc_config] }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - include_config_output is defined register: rsyslog_config_files failed_when: false changed_when: false tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions - Extract log files old format ansible.builtin.shell: 'set -o pipefail grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \ awk ''{print $NF}'' | \ sed -e ''s/^-//'' || true ' loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_old changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions - Extract log files new format ansible.builtin.shell: 'set -o pipefail grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \ grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \ grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \ tr -d "\""|| true ' loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}' register: log_files_new changed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' - rsyslog_config_files is not skipped tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions - Sum all log files found ansible.builtin.set_fact: log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results | map(attribute=''stdout_lines'') | list | flatten | unique }}' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure System Log Files Have Correct Permissions -Setup log files attribute ansible.builtin.file: path: '{{ item }}' mode: '0640' state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - rsyslog_files_permissions | bool - '"kernel-core" in ansible_facts.packages' - '"rsyslog" in ansible_facts.packages' tags: - CCE-83689-0 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - rsyslog_files_permissions - name: Ensure journald is configured to compress large log files - Search for a section in files ansible.builtin.find: paths: '{{item.path}}' patterns: '{{item.pattern}}' contains: ^\s*\[Journal\] read_whole_file: true use_regex: true register: systemd_dropin_files_with_section loop: - path: '{{ ''/etc/systemd/journald.conf'' | dirname }}' pattern: '{{ ''/etc/systemd/journald.conf'' | basename | regex_escape }}' - path: /etc/systemd/journald.conf.d pattern: .*\.conf when: - journald_compress | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-85931-4 - journald_compress - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure journald is configured to compress large log files - Count number of files which contain the correct section ansible.builtin.set_fact: count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'') | list | map(''int'') | sum}}' when: - journald_compress | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-85931-4 - journald_compress - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure journald is configured to compress large log files - Add missing configuration to correct section community.general.ini_file: path: '{{item}}' section: Journal option: Compress value: 'yes' state: present no_extra_spaces: true when: - journald_compress | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list }}' tags: - CCE-85931-4 - journald_compress - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure journald is configured to compress large log files - Add configuration to new remediation file community.general.ini_file: path: /etc/systemd/journald.conf.d/complianceascode_hardening.conf section: Journal option: Compress value: 'yes' state: present no_extra_spaces: true create: true when: - journald_compress | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: - CCE-85931-4 - journald_compress - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure journald is configured to write log files to persistent disk - Search for a section in files ansible.builtin.find: paths: '{{item.path}}' patterns: '{{item.pattern}}' contains: ^\s*\[Journal\] read_whole_file: true use_regex: true register: systemd_dropin_files_with_section loop: - path: '{{ ''/etc/systemd/journald.conf'' | dirname }}' pattern: '{{ ''/etc/systemd/journald.conf'' | basename | regex_escape }}' - path: /etc/systemd/journald.conf.d pattern: .*\.conf when: - journald_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86046-0 - journald_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure journald is configured to write log files to persistent disk - Count number of files which contain the correct section ansible.builtin.set_fact: count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'') | list | map(''int'') | sum}}' when: - journald_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86046-0 - journald_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure journald is configured to write log files to persistent disk - Add missing configuration to correct section community.general.ini_file: path: '{{item}}' section: Journal option: Storage value: persistent state: present no_extra_spaces: true when: - journald_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list }}' tags: - CCE-86046-0 - journald_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure journald is configured to write log files to persistent disk - Add configuration to new remediation file community.general.ini_file: path: /etc/systemd/journald.conf.d/complianceascode_hardening.conf section: Journal option: Storage value: persistent state: present no_extra_spaces: true create: true when: - journald_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: - CCE-86046-0 - journald_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present in the System ansible.builtin.command: cmd: systemctl -q list-unit-files --type socket register: result_systemd_unit_files changed_when: false check_mode: false when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87606-0 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - socket_systemd-journal-remote_disabled - name: Disable systemd-journal-remote Socket - Ensure systemd-journal-remote.socket is Masked ansible.builtin.systemd: name: systemd-journal-remote.socket state: stopped enabled: false masked: true when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - result_systemd_unit_files.stdout_lines is search("systemd-journal-remote.socket") tags: - CCE-87606-0 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - socket_systemd-journal-remote_disabled - name: Configure Firewalld to Restrict Loopback Traffic - Remediation is Applicable if firewalld Service is Running block: - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted Zone Restricts IPv4 Loopback Traffic ansible.builtin.command: cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop' register: result_trusted_ipv4_restriction changed_when: - '''ALREADY_ENABLED'' not in result_trusted_ipv4_restriction.stderr' - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted Zone Restricts IPv6 Loopback Traffic ansible.builtin.command: cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop' register: result_trusted_ipv6_restriction changed_when: - '''ALREADY_ENABLED'' not in result_trusted_ipv6_restriction.stderr' - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Changes are Applied ansible.builtin.service: name: firewalld state: reloaded when: - result_trusted_ipv4_restriction is changed or result_trusted_ipv6_restriction is changed when: - configure_strategy | bool - firewalld_loopback_traffic_restricted | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - ansible_facts.services['firewalld.service'].state == 'running' tags: - CCE-86137-7 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.1 - configure_strategy - firewalld_loopback_traffic_restricted - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure Firewalld to Restrict Loopback Traffic - Informative Message Based on Service State ansible.builtin.assert: that: - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running' fail_msg: - firewalld service is not active. Remediation aborted! - This remediation could not be applied because it depends on firewalld service running. - The service is not started by this remediation in order to prevent connection issues. success_msg: - Configure Firewalld to Restrict Loopback Traffic remediation successfully executed when: - configure_strategy | bool - firewalld_loopback_traffic_restricted | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86137-7 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.1 - configure_strategy - firewalld_loopback_traffic_restricted - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure Firewalld to Trust Loopback Traffic - Remediation is Applicable if firewalld Service is Running block: - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld trusted Zone Includes lo Interface ansible.builtin.command: cmd: firewall-cmd --permanent --zone=trusted --add-interface=lo register: result_lo_interface_assignment changed_when: - '''ALREADY_ENABLED'' not in result_lo_interface_assignment.stderr' - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Changes are Applied ansible.builtin.service: name: firewalld state: reloaded when: - result_lo_interface_assignment is changed when: - configure_strategy | bool - firewalld_loopback_traffic_trusted | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - ansible_facts.services['firewalld.service'].state == 'running' tags: - CCE-86116-1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.1 - configure_strategy - firewalld_loopback_traffic_trusted - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure Firewalld to Trust Loopback Traffic - Informative Message Based on Service State ansible.builtin.assert: that: - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running' fail_msg: - firewalld service is not active. Remediation aborted! - This remediation could not be applied because it depends on firewalld service running. - The service is not started by this remediation in order to prevent connection issues. success_msg: - Configure Firewalld to Trust Loopback Traffic remediation successfully executed when: - configure_strategy | bool - firewalld_loopback_traffic_trusted | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86116-1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.1 - configure_strategy - firewalld_loopback_traffic_trusted - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_254010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_ra - name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find all files that contain net.ipv6.conf.all.accept_ra ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_ra - name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_ra to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_ra_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_ra - name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_ra from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.accept_ra replace: '#net.ipv6.conf.all.accept_ra' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_ra - name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_ra is set ansible.posix.sysctl: name: net.ipv6.conf.all.accept_ra value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_254010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84120-5 - DISA-STIG-RHEL-09-254010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_ra - name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files that contain net.ipv6.conf.all.accept_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.accept_redirects replace: '#net.ipv6.conf.all.accept_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_redirects is set ansible.posix.sysctl: name: net.ipv6.conf.all.accept_redirects value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84125-4 - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Find all files that contain net.ipv6.conf.all.accept_source_route ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_source_route to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_source_route from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.accept_source_route replace: '#net.ipv6.conf.all.accept_source_route' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_source_route is set ansible.posix.sysctl: name: net.ipv6.conf.all.accept_source_route value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84131-2 - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route - name: Disable Kernel Parameter for IPv6 Forwarding - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_254025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding - Find all files that contain net.ipv6.conf.all.forwarding ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.forwarding\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding - Find all files that set net.ipv6.conf.all.forwarding to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.forwarding\s*=\s*{{ sysctl_net_ipv6_conf_all_forwarding_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding - Comment out any occurrences of net.ipv6.conf.all.forwarding from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.all.forwarding replace: '#net.ipv6.conf.all.forwarding' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding - Ensure sysctl net.ipv6.conf.all.forwarding is set ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding value: '{{ sysctl_net_ipv6_conf_all_forwarding_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_254025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_all_forwarding | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84114-8 - DISA-STIG-RHEL-09-254025 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_all_forwarding - name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_254030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_ra - name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Find all files that contain net.ipv6.conf.default.accept_ra ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_ra - name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Find all files that set net.ipv6.conf.default.accept_ra to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_ra_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_ra - name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.default.accept_ra replace: '#net.ipv6.conf.default.accept_ra' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_ra - name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Ensure sysctl net.ipv6.conf.default.accept_ra is set ansible.posix.sysctl: name: net.ipv6.conf.default.accept_ra value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_254030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_ra | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84124-7 - DISA-STIG-RHEL-09-254030 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_ra - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Find all files that contain net.ipv6.conf.default.accept_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Find all files that set net.ipv6.conf.default.accept_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.default.accept_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.default.accept_redirects replace: '#net.ipv6.conf.default.accept_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Ensure sysctl net.ipv6.conf.default.accept_redirects is set ansible.posix.sysctl: name: net.ipv6.conf.default.accept_redirects value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84113-0 - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Find all files that contain net.ipv6.conf.default.accept_source_route ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Find all files that set net.ipv6.conf.default.accept_source_route to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Comment out any occurrences of net.ipv6.conf.default.accept_source_route from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.default.accept_source_route replace: '#net.ipv6.conf.default.accept_source_route' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Ensure sysctl net.ipv6.conf.default.accept_source_route is set ansible.posix.sysctl: name: net.ipv6.conf.default.accept_source_route value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv6_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84130-4 - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route - name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84011-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.accept_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84011-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files that set net.ipv4.conf.all.accept_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84011-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.accept_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.accept_redirects replace: '#net.ipv4.conf.all.accept_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84011-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects - name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.accept_redirects is set ansible.posix.sysctl: name: net.ipv4.conf.all.accept_redirects value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84011-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.accept_source_route ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.accept_source_route to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.accept_source_route from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.accept_source_route replace: '#net.ipv4.conf.all.accept_source_route' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.accept_source_route is set ansible.posix.sysctl: name: net.ipv4.conf.all.accept_source_route value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84001-7 - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.log_martians ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.log_martians to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*{{ sysctl_net_ipv4_conf_all_log_martians_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.log_martians from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.log_martians replace: '#net.ipv4.conf.all.log_martians' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.log_martians is set ansible.posix.sysctl: name: net.ipv4.conf.all.log_martians value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84000-9 - DISA-STIG-RHEL-09-253025 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_all_log_martians - unknown_severity - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.rp_filter ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.rp_filter to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*{{ sysctl_net_ipv4_conf_all_rp_filter_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.rp_filter replace: '#net.ipv4.conf.all.rp_filter' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.rp_filter is set ansible.posix.sysctl: name: net.ipv4.conf.all.rp_filter value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84008-2 - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_rp_filter - name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84016-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects - name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.secure_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84016-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects - name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.secure_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84016-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects - name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.secure_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.secure_redirects replace: '#net.ipv4.conf.all.secure_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84016-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects - name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.secure_redirects is set ansible.posix.sysctl: name: net.ipv4.conf.all.secure_redirects value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84016-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84003-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Find all files that contain net.ipv4.conf.default.accept_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84003-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Find all files that set net.ipv4.conf.default.accept_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84003-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.default.accept_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.accept_redirects replace: '#net.ipv4.conf.default.accept_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84003-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Ensure sysctl net.ipv4.conf.default.accept_redirects is set ansible.posix.sysctl: name: net.ipv4.conf.default.accept_redirects value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84003-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84007-4 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Find all files that contain net.ipv4.conf.default.accept_source_route ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84007-4 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.accept_source_route to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84007-4 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Comment out any occurrences of net.ipv4.conf.default.accept_source_route from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.accept_source_route replace: '#net.ipv4.conf.default.accept_source_route' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84007-4 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route - name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.accept_source_route is set ansible.posix.sysctl: name: net.ipv4.conf.default.accept_source_route value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_accept_source_route | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84007-4 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Find all files that contain net.ipv4.conf.default.log_martians ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.log_martians to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*{{ sysctl_net_ipv4_conf_default_log_martians_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Comment out any occurrences of net.ipv4.conf.default.log_martians from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.log_martians replace: '#net.ipv4.conf.default.log_martians' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.log_martians is set ansible.posix.sysctl: name: net.ipv4.conf.default.log_martians value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_log_martians | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84014-0 - DISA-STIG-RHEL-09-253030 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(3)(a) - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_conf_default_log_martians - unknown_severity - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Find all files that contain net.ipv4.conf.default.rp_filter ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.rp_filter to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*{{ sysctl_net_ipv4_conf_default_rp_filter_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Comment out any occurrences of net.ipv4.conf.default.rp_filter from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.rp_filter replace: '#net.ipv4.conf.default.rp_filter' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_rp_filter - name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.rp_filter is set ansible.posix.sysctl: name: net.ipv4.conf.default.rp_filter value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_rp_filter | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84009-0 - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_rp_filter - name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84019-9 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects - name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find all files that contain net.ipv4.conf.default.secure_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84019-9 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects - name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find all files that set net.ipv4.conf.default.secure_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84019-9 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects - name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Comment out any occurrences of net.ipv4.conf.default.secure_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.secure_redirects replace: '#net.ipv4.conf.default.secure_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84019-9 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects - name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Ensure sysctl net.ipv4.conf.default.secure_redirects is set ansible.posix.sysctl: name: net.ipv4.conf.default.secure_redirects value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_secure_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84019-9 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects - name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253055 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84004-1 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253055 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Find all files that contain net.ipv4.icmp_echo_ignore_broadcasts ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253055 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84004-1 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253055 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Find all files that set net.ipv4.icmp_echo_ignore_broadcasts to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253055 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84004-1 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253055 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts replace: '#net.ipv4.icmp_echo_ignore_broadcasts' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253055 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84004-1 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253055 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253055 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84004-1 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253055 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Find all files that contain net.ipv4.icmp_ignore_bogus_error_responses ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Find all files that set net.ipv4.icmp_ignore_bogus_error_responses to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses replace: '#net.ipv4.icmp_ignore_bogus_error_responses' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set ansible.posix.sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - reboot_required | bool - sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool - unknown_severity | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84015-7 - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption - reboot_required - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity - name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84006-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_tcp_syncookies - name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find all files that contain net.ipv4.tcp_syncookies ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.tcp_syncookies\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84006-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_tcp_syncookies - name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find all files that set net.ipv4.tcp_syncookies to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.tcp_syncookies\s*=\s*{{ sysctl_net_ipv4_tcp_syncookies_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84006-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_tcp_syncookies - name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Comment out any occurrences of net.ipv4.tcp_syncookies from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.tcp_syncookies replace: '#net.ipv4.tcp_syncookies' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-84006-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_tcp_syncookies - name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Ensure sysctl net.ipv4.tcp_syncookies is set ansible.posix.sysctl: name: net.ipv4.tcp_syncookies value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_tcp_syncookies | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84006-6 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_tcp_syncookies - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83997-7 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.send_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83997-7 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.send_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*0$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83997-7 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.send_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.all.send_redirects replace: '#net.ipv4.conf.all.send_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-83997-7 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 ansible.posix.sysctl: name: net.ipv4.conf.all.send_redirects value: '0' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_all_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83997-7 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_all_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83999-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Find all files that contain net.ipv4.conf.default.send_redirects ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83999-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.send_redirects to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*0$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83999-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Comment out any occurrences of net.ipv4.conf.default.send_redirects from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.conf.default.send_redirects replace: '#net.ipv4.conf.default.send_redirects' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-83999-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_send_redirects - name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 ansible.posix.sysctl: name: net.ipv4.conf.default.send_redirects value: '0' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_conf_default_send_redirects | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83999-3 - CJIS-5.10.1.1 - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_conf_default_send_redirects - name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83998-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_ip_forward - name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files that contain net.ipv4.ip_forward ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.ip_forward\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83998-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_ip_forward - name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files that set net.ipv4.ip_forward to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.ip_forward\s*=\s*0$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83998-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_ip_forward - name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Comment out any occurrences of net.ipv4.ip_forward from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv4.ip_forward replace: '#net.ipv4.ip_forward' loop: '{{ find_all_values.stdout_lines }}' when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-83998-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_ip_forward - name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Ensure sysctl net.ipv4.ip_forward is set to 0 ansible.posix.sysctl: name: net.ipv4.ip_forward value: '0' sysctl_file: /etc/sysctl.conf state: present reload: true when: - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_net_ipv4_ip_forward | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83998-5 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv4_ip_forward - name: Ensure kernel module 'dccp' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/dccp.conf regexp: install\s+dccp line: install dccp /bin/false when: - disable_strategy | bool - kernel_module_dccp_disabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84136-1 - CJIS-5.10.1 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - kernel_module_dccp_disabled - low_complexity - medium_disruption - medium_severity - reboot_required - name: Ensure kernel module 'dccp' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/dccp.conf regexp: ^blacklist dccp$ line: blacklist dccp when: - disable_strategy | bool - kernel_module_dccp_disabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84136-1 - CJIS-5.10.1 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - kernel_module_dccp_disabled - low_complexity - medium_disruption - medium_severity - reboot_required - name: Ensure kernel module 'rds' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/rds.conf regexp: install\s+rds line: install rds /bin/false when: - disable_strategy | bool - kernel_module_rds_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84064-5 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_rds_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'rds' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/rds.conf regexp: ^blacklist rds$ line: blacklist rds when: - disable_strategy | bool - kernel_module_rds_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84064-5 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_rds_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'sctp' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/sctp.conf regexp: install\s+sctp line: install sctp /bin/false when: - DISA_STIG_RHEL_09_213060 | bool - disable_strategy | bool - kernel_module_sctp_disabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84139-5 - CJIS-5.10.1 - DISA-STIG-RHEL-09-213060 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - kernel_module_sctp_disabled - low_complexity - medium_disruption - medium_severity - reboot_required - name: Ensure kernel module 'sctp' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/sctp.conf regexp: ^blacklist sctp$ line: blacklist sctp when: - DISA_STIG_RHEL_09_213060 | bool - disable_strategy | bool - kernel_module_sctp_disabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84139-5 - CJIS-5.10.1 - DISA-STIG-RHEL-09-213060 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.2 - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - disable_strategy - kernel_module_sctp_disabled - low_complexity - medium_disruption - medium_severity - reboot_required - name: Ensure kernel module 'tipc' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/tipc.conf regexp: install\s+tipc line: install tipc /bin/false when: - DISA_STIG_RHEL_09_213065 | bool - disable_strategy | bool - kernel_module_tipc_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84065-2 - DISA-STIG-RHEL-09-213065 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_tipc_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'tipc' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/tipc.conf regexp: ^blacklist tipc$ line: blacklist tipc when: - DISA_STIG_RHEL_09_213065 | bool - disable_strategy | bool - kernel_module_tipc_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84065-2 - DISA-STIG-RHEL-09-213065 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_tipc_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: NetworkManager Deactivate Wireless Network Interfaces ansible.builtin.command: nmcli radio wifi off when: - DISA_STIG_RHEL_09_291040 | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - wireless_disable_interfaces | bool - ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '''NetworkManager'' in ansible_facts.packages' - ansible_facts.services['NetworkManager.service'].state == 'running' tags: - CCE-84066-0 - DISA-STIG-RHEL-09-291040 - NIST-800-171-3.1.16 - NIST-800-53-AC-18(3) - NIST-800-53-AC-18(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - PCI-DSS-Req-1.3.3 - PCI-DSSv4-1.3 - PCI-DSSv4-1.3.3 - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - wireless_disable_interfaces - name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded (Non-Local) File Systems and Paths ansible.builtin.set_fact: excluded_fstypes: - afs - autofs - ceph - cifs - smb3 - smbfs - sshfs - ncpfs - ncp - nfs - nfs4 - gfs - gfs2 - glusterfs - gpfs - pvfs2 - ocfs2 - lustre - davfs - fuse.sshfs excluded_paths: - dev - proc - run - sys search_paths: [] tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant Root Directories Ignoring Pre-Defined Excluded Paths ansible.builtin.find: paths: / file_type: directory excludes: '{{ excluded_paths }}' hidden: true recurse: false register: result_relevant_root_dirs tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Verify that All World-Writable Directories Have Sticky Bits Set - Include Relevant Root Directories in a List of Paths to be Searched ansible.builtin.set_fact: search_paths: '{{ search_paths | union([item.path]) }}' loop: '{{ result_relevant_root_dirs.files }}' tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment Search Paths List with Local Partitions Mount Points ansible.builtin.set_fact: search_paths: '{{ search_paths | union([item.mount]) }}' loop: '{{ ansible_mounts }}' when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - item.fstype not in excluded_fstypes - item.mount != '/' tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment Search Paths List with Local NFS File System Targets ansible.builtin.set_fact: search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}' loop: '{{ ansible_mounts }}' when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - item.device is search("localhost:") tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Rule Specific Facts ansible.builtin.set_fact: world_writable_dirs: [] tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All Uncompliant Directories in Local File Systems ansible.builtin.command: cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 ) loop: '{{ search_paths }}' changed_when: false register: result_found_dirs tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Verify that All World-Writable Directories Have Sticky Bits Set - Create List of World Writable Directories Without Sticky Bit ansible.builtin.set_fact: world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list }}' loop: '{{ result_found_dirs.results }}' when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - result_found_dirs is not skipped and item is not skipped tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure Sticky Bit is Set on Local World Writable Directories ansible.builtin.file: path: '{{ item }}' mode: a+t loop: '{{ world_writable_dirs }}' tags: - CCE-83895-3 - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Verify Permissions and Ownership of Old Passwords File ansible.builtin.file: path: /etc/security/opasswd owner: root group: root mode: 384 state: touch modification_time: preserve access_time: preserve tags: - CCE-86762-2 - file_etc_security_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - file_etc_security_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - name: Set the file_groupowner_backup_etc_group_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_backup_etc_group_newgroup: '0' tags: - CCE-83928-2 - DISA-STIG-RHEL-09-232105 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232105 | bool - configure_strategy | bool - file_groupowner_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/group- ansible.builtin.stat: path: /etc/group- register: file_exists tags: - CCE-83928-2 - DISA-STIG-RHEL-09-232105 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232105 | bool - configure_strategy | bool - file_groupowner_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/group- ansible.builtin.file: path: /etc/group- follow: false group: '{{ file_groupowner_backup_etc_group_newgroup }}' when: - DISA_STIG_RHEL_09_232105 | bool - configure_strategy | bool - file_groupowner_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83928-2 - DISA-STIG-RHEL-09-232105 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_backup_etc_gshadow_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_backup_etc_gshadow_newgroup: '0' tags: - CCE-83951-4 - DISA-STIG-RHEL-09-232125 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - configure_strategy - file_groupowner_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232125 | bool - configure_strategy | bool - file_groupowner_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/gshadow- ansible.builtin.stat: path: /etc/gshadow- register: file_exists tags: - CCE-83951-4 - DISA-STIG-RHEL-09-232125 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - configure_strategy - file_groupowner_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232125 | bool - configure_strategy | bool - file_groupowner_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/gshadow- ansible.builtin.file: path: /etc/gshadow- follow: false group: '{{ file_groupowner_backup_etc_gshadow_newgroup }}' when: - DISA_STIG_RHEL_09_232125 | bool - configure_strategy | bool - file_groupowner_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83951-4 - DISA-STIG-RHEL-09-232125 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - configure_strategy - file_groupowner_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_backup_etc_passwd_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_backup_etc_passwd_newgroup: '0' tags: - CCE-83933-2 - DISA-STIG-RHEL-09-232145 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232145 | bool - configure_strategy | bool - file_groupowner_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/passwd- ansible.builtin.stat: path: /etc/passwd- register: file_exists tags: - CCE-83933-2 - DISA-STIG-RHEL-09-232145 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232145 | bool - configure_strategy | bool - file_groupowner_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/passwd- ansible.builtin.file: path: /etc/passwd- follow: false group: '{{ file_groupowner_backup_etc_passwd_newgroup }}' when: - DISA_STIG_RHEL_09_232145 | bool - configure_strategy | bool - file_groupowner_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83933-2 - DISA-STIG-RHEL-09-232145 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_backup_etc_shadow_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_backup_etc_shadow_newgroup: '0' tags: - CCE-83938-1 - DISA-STIG-RHEL-09-232165 - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232165 | bool - configure_strategy | bool - file_groupowner_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/shadow- ansible.builtin.stat: path: /etc/shadow- register: file_exists tags: - CCE-83938-1 - DISA-STIG-RHEL-09-232165 - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232165 | bool - configure_strategy | bool - file_groupowner_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/shadow- ansible.builtin.file: path: /etc/shadow- follow: false group: '{{ file_groupowner_backup_etc_shadow_newgroup }}' when: - DISA_STIG_RHEL_09_232165 | bool - configure_strategy | bool - file_groupowner_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83938-1 - DISA-STIG-RHEL-09-232165 - PCI-DSS-Req-8.7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_etc_group_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_group_newgroup: '0' tags: - CCE-83945-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232095 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232095 | bool - configure_strategy | bool - file_groupowner_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/group ansible.builtin.stat: path: /etc/group register: file_exists tags: - CCE-83945-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232095 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232095 | bool - configure_strategy | bool - file_groupowner_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/group ansible.builtin.file: path: /etc/group follow: false group: '{{ file_groupowner_etc_group_newgroup }}' when: - DISA_STIG_RHEL_09_232095 | bool - configure_strategy | bool - file_groupowner_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83945-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232095 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_etc_gshadow_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_gshadow_newgroup: '0' tags: - CCE-83948-0 - DISA-STIG-RHEL-09-232115 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232115 | bool - configure_strategy | bool - file_groupowner_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/gshadow ansible.builtin.stat: path: /etc/gshadow register: file_exists tags: - CCE-83948-0 - DISA-STIG-RHEL-09-232115 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232115 | bool - configure_strategy | bool - file_groupowner_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/gshadow ansible.builtin.file: path: /etc/gshadow follow: false group: '{{ file_groupowner_etc_gshadow_newgroup }}' when: - DISA_STIG_RHEL_09_232115 | bool - configure_strategy | bool - file_groupowner_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83948-0 - DISA-STIG-RHEL-09-232115 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_etc_passwd_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_passwd_newgroup: '0' tags: - CCE-83950-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232135 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232135 | bool - configure_strategy | bool - file_groupowner_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/passwd ansible.builtin.stat: path: /etc/passwd register: file_exists tags: - CCE-83950-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232135 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232135 | bool - configure_strategy | bool - file_groupowner_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/passwd ansible.builtin.file: path: /etc/passwd follow: false group: '{{ file_groupowner_etc_passwd_newgroup }}' when: - DISA_STIG_RHEL_09_232135 | bool - configure_strategy | bool - file_groupowner_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83950-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232135 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_etc_shadow_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_shadow_newgroup: '0' tags: - CCE-83930-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232155 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232155 | bool - configure_strategy | bool - file_groupowner_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/shadow ansible.builtin.stat: path: /etc/shadow register: file_exists tags: - CCE-83930-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232155 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232155 | bool - configure_strategy | bool - file_groupowner_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/shadow ansible.builtin.file: path: /etc/shadow follow: false group: '{{ file_groupowner_etc_shadow_newgroup }}' when: - DISA_STIG_RHEL_09_232155 | bool - configure_strategy | bool - file_groupowner_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83930-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232155 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_etc_shells_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_etc_shells_newgroup: '0' tags: - CCE-90434-2 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_groupowner_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/shells ansible.builtin.stat: path: /etc/shells register: file_exists tags: - CCE-90434-2 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_groupowner_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_groupowner_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure group owner on /etc/shells ansible.builtin.file: path: /etc/shells follow: false group: '{{ file_groupowner_etc_shells_newgroup }}' when: - configure_strategy | bool - file_groupowner_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90434-2 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_groupowner_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_backup_etc_group_newown variable if represented by uid ansible.builtin.set_fact: file_owner_backup_etc_group_newown: '0' tags: - CCE-83944-9 - DISA-STIG-RHEL-09-232100 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232100 | bool - configure_strategy | bool - file_owner_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/group- ansible.builtin.stat: path: /etc/group- register: file_exists tags: - CCE-83944-9 - DISA-STIG-RHEL-09-232100 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232100 | bool - configure_strategy | bool - file_owner_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/group- ansible.builtin.file: path: /etc/group- follow: false owner: '{{ file_owner_backup_etc_group_newown }}' when: - DISA_STIG_RHEL_09_232100 | bool - configure_strategy | bool - file_owner_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83944-9 - DISA-STIG-RHEL-09-232100 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_backup_etc_gshadow_newown variable if represented by uid ansible.builtin.set_fact: file_owner_backup_etc_gshadow_newown: '0' tags: - CCE-83929-0 - DISA-STIG-RHEL-09-232120 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - configure_strategy - file_owner_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232120 | bool - configure_strategy | bool - file_owner_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/gshadow- ansible.builtin.stat: path: /etc/gshadow- register: file_exists tags: - CCE-83929-0 - DISA-STIG-RHEL-09-232120 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - configure_strategy - file_owner_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232120 | bool - configure_strategy | bool - file_owner_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/gshadow- ansible.builtin.file: path: /etc/gshadow- follow: false owner: '{{ file_owner_backup_etc_gshadow_newown }}' when: - DISA_STIG_RHEL_09_232120 | bool - configure_strategy | bool - file_owner_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83929-0 - DISA-STIG-RHEL-09-232120 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7 - configure_strategy - file_owner_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_backup_etc_passwd_newown variable if represented by uid ansible.builtin.set_fact: file_owner_backup_etc_passwd_newown: '0' tags: - CCE-83947-2 - DISA-STIG-RHEL-09-232140 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232140 | bool - configure_strategy | bool - file_owner_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/passwd- ansible.builtin.stat: path: /etc/passwd- register: file_exists tags: - CCE-83947-2 - DISA-STIG-RHEL-09-232140 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232140 | bool - configure_strategy | bool - file_owner_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/passwd- ansible.builtin.file: path: /etc/passwd- follow: false owner: '{{ file_owner_backup_etc_passwd_newown }}' when: - DISA_STIG_RHEL_09_232140 | bool - configure_strategy | bool - file_owner_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83947-2 - DISA-STIG-RHEL-09-232140 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_backup_etc_shadow_newown variable if represented by uid ansible.builtin.set_fact: file_owner_backup_etc_shadow_newown: '0' tags: - CCE-83949-8 - DISA-STIG-RHEL-09-232160 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232160 | bool - configure_strategy | bool - file_owner_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/shadow- ansible.builtin.stat: path: /etc/shadow- register: file_exists tags: - CCE-83949-8 - DISA-STIG-RHEL-09-232160 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232160 | bool - configure_strategy | bool - file_owner_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/shadow- ansible.builtin.file: path: /etc/shadow- follow: false owner: '{{ file_owner_backup_etc_shadow_newown }}' when: - DISA_STIG_RHEL_09_232160 | bool - configure_strategy | bool - file_owner_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83949-8 - DISA-STIG-RHEL-09-232160 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_group_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_group_newown: '0' tags: - CCE-83925-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232090 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232090 | bool - configure_strategy | bool - file_owner_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/group ansible.builtin.stat: path: /etc/group register: file_exists tags: - CCE-83925-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232090 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232090 | bool - configure_strategy | bool - file_owner_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/group ansible.builtin.file: path: /etc/group follow: false owner: '{{ file_owner_etc_group_newown }}' when: - DISA_STIG_RHEL_09_232090 | bool - configure_strategy | bool - file_owner_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83925-8 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232090 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_gshadow_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_gshadow_newown: '0' tags: - CCE-83924-1 - DISA-STIG-RHEL-09-232110 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_owner_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232110 | bool - configure_strategy | bool - file_owner_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/gshadow ansible.builtin.stat: path: /etc/gshadow register: file_exists tags: - CCE-83924-1 - DISA-STIG-RHEL-09-232110 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_owner_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232110 | bool - configure_strategy | bool - file_owner_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/gshadow ansible.builtin.file: path: /etc/gshadow follow: false owner: '{{ file_owner_etc_gshadow_newown }}' when: - DISA_STIG_RHEL_09_232110 | bool - configure_strategy | bool - file_owner_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83924-1 - DISA-STIG-RHEL-09-232110 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_owner_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_passwd_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_passwd_newown: '0' tags: - CCE-83943-1 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232130 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232130 | bool - configure_strategy | bool - file_owner_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/passwd ansible.builtin.stat: path: /etc/passwd register: file_exists tags: - CCE-83943-1 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232130 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232130 | bool - configure_strategy | bool - file_owner_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/passwd ansible.builtin.file: path: /etc/passwd follow: false owner: '{{ file_owner_etc_passwd_newown }}' when: - DISA_STIG_RHEL_09_232130 | bool - configure_strategy | bool - file_owner_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83943-1 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232130 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_shadow_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_shadow_newown: '0' tags: - CCE-83926-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232150 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232150 | bool - configure_strategy | bool - file_owner_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/shadow ansible.builtin.stat: path: /etc/shadow register: file_exists tags: - CCE-83926-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232150 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232150 | bool - configure_strategy | bool - file_owner_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/shadow ansible.builtin.file: path: /etc/shadow follow: false owner: '{{ file_owner_etc_shadow_newown }}' when: - DISA_STIG_RHEL_09_232150 | bool - configure_strategy | bool - file_owner_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83926-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232150 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_etc_shells_newown variable if represented by uid ansible.builtin.set_fact: file_owner_etc_shells_newown: '0' tags: - CCE-90435-9 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_owner_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Test for existence /etc/shells ansible.builtin.stat: path: /etc/shells register: file_exists tags: - CCE-90435-9 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_owner_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_owner_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure owner on /etc/shells ansible.builtin.file: path: /etc/shells follow: false owner: '{{ file_owner_etc_shells_newown }}' when: - configure_strategy | bool - file_owner_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90435-9 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_owner_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/group- ansible.builtin.stat: path: /etc/group- register: file_exists tags: - CCE-83939-9 - DISA-STIG-RHEL-09-232060 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232060 | bool - configure_strategy | bool - file_permissions_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/group- ansible.builtin.file: path: /etc/group- mode: u-xs,g-xws,o-xwt when: - DISA_STIG_RHEL_09_232060 | bool - configure_strategy | bool - file_permissions_backup_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83939-9 - DISA-STIG-RHEL-09-232060 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_backup_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/gshadow- ansible.builtin.stat: path: /etc/gshadow- register: file_exists tags: - CCE-83942-3 - DISA-STIG-RHEL-09-232070 - NIST-800-53-AC-6 (1) - configure_strategy - file_permissions_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232070 | bool - configure_strategy | bool - file_permissions_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow- ansible.builtin.file: path: /etc/gshadow- mode: u-xwrs,g-xwrs,o-xwrt when: - DISA_STIG_RHEL_09_232070 | bool - configure_strategy | bool - file_permissions_backup_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83942-3 - DISA-STIG-RHEL-09-232070 - NIST-800-53-AC-6 (1) - configure_strategy - file_permissions_backup_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/passwd- ansible.builtin.stat: path: /etc/passwd- register: file_exists tags: - CCE-83940-7 - DISA-STIG-RHEL-09-232080 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232080 | bool - configure_strategy | bool - file_permissions_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd- ansible.builtin.file: path: /etc/passwd- mode: u-xs,g-xws,o-xwt when: - DISA_STIG_RHEL_09_232080 | bool - configure_strategy | bool - file_permissions_backup_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83940-7 - DISA-STIG-RHEL-09-232080 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_backup_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/shadow- ansible.builtin.stat: path: /etc/shadow- register: file_exists tags: - CCE-83935-7 - DISA-STIG-RHEL-09-232085 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232085 | bool - configure_strategy | bool - file_permissions_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow- ansible.builtin.file: path: /etc/shadow- mode: u-xwrs,g-xwrs,o-xwrt when: - DISA_STIG_RHEL_09_232085 | bool - configure_strategy | bool - file_permissions_backup_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83935-7 - DISA-STIG-RHEL-09-232085 - NIST-800-53-AC-6 (1) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_backup_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/group ansible.builtin.stat: path: /etc/group register: file_exists tags: - CCE-83934-0 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232055 | bool - configure_strategy | bool - file_permissions_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/group ansible.builtin.file: path: /etc/group mode: u-xs,g-xws,o-xwt when: - DISA_STIG_RHEL_09_232055 | bool - configure_strategy | bool - file_permissions_etc_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83934-0 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/gshadow ansible.builtin.stat: path: /etc/gshadow register: file_exists tags: - CCE-83921-7 - DISA-STIG-RHEL-09-232065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_permissions_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232065 | bool - configure_strategy | bool - file_permissions_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow ansible.builtin.file: path: /etc/gshadow mode: u-xwrs,g-xwrs,o-xwrt when: - DISA_STIG_RHEL_09_232065 | bool - configure_strategy | bool - file_permissions_etc_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83921-7 - DISA-STIG-RHEL-09-232065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_permissions_etc_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/passwd ansible.builtin.stat: path: /etc/passwd register: file_exists tags: - CCE-83931-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232075 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232075 | bool - configure_strategy | bool - file_permissions_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd ansible.builtin.file: path: /etc/passwd mode: u-xs,g-xws,o-xwt when: - DISA_STIG_RHEL_09_232075 | bool - configure_strategy | bool - file_permissions_etc_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83931-6 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232075 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/shadow ansible.builtin.stat: path: /etc/shadow register: file_exists tags: - CCE-83941-5 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232270 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - DISA_STIG_RHEL_09_232270 | bool - configure_strategy | bool - file_permissions_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow ansible.builtin.file: path: /etc/shadow mode: u-xwrs,g-xwrs,o-xwrt when: - DISA_STIG_RHEL_09_232270 | bool - configure_strategy | bool - file_permissions_etc_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83941-5 - CJIS-5.5.2.2 - DISA-STIG-RHEL-09-232270 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/shells ansible.builtin.stat: path: /etc/shells register: file_exists tags: - CCE-90432-6 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_permissions_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - configure_strategy | bool - file_permissions_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - name: Ensure permission u-xs,g-xws,o-xwt on /etc/shells ansible.builtin.file: path: /etc/shells mode: u-xs,g-xws,o-xwt when: - configure_strategy | bool - file_permissions_etc_shells | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90432-6 - NIST-800-53-AC-3 - NIST-800-53-MP-2 - configure_strategy - file_permissions_etc_shells - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure kernel module 'cramfs' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/cramfs.conf regexp: install\s+cramfs line: install cramfs /bin/false when: - DISA_STIG_RHEL_09_231195 | bool - disable_strategy | bool - kernel_module_cramfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83853-2 - DISA-STIG-RHEL-09-231195 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_cramfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'cramfs' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/cramfs.conf regexp: ^blacklist cramfs$ line: blacklist cramfs when: - DISA_STIG_RHEL_09_231195 | bool - disable_strategy | bool - kernel_module_cramfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83853-2 - DISA-STIG-RHEL-09-231195 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_cramfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'freevxfs' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/freevxfs.conf regexp: install\s+freevxfs line: install freevxfs /bin/false when: - disable_strategy | bool - kernel_module_freevxfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86763-0 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_freevxfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'freevxfs' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/freevxfs.conf regexp: ^blacklist freevxfs$ line: blacklist freevxfs when: - disable_strategy | bool - kernel_module_freevxfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86763-0 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_freevxfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'hfs' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfs.conf regexp: install\s+hfs line: install hfs /bin/false when: - disable_strategy | bool - kernel_module_hfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86764-8 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_hfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'hfs' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfs.conf regexp: ^blacklist hfs$ line: blacklist hfs when: - disable_strategy | bool - kernel_module_hfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86764-8 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_hfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'hfsplus' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfsplus.conf regexp: install\s+hfsplus line: install hfsplus /bin/false when: - disable_strategy | bool - kernel_module_hfsplus_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86765-5 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_hfsplus_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'hfsplus' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/hfsplus.conf regexp: ^blacklist hfsplus$ line: blacklist hfsplus when: - disable_strategy | bool - kernel_module_hfsplus_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86765-5 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_hfsplus_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'jffs2' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/jffs2.conf regexp: install\s+jffs2 line: install jffs2 /bin/false when: - disable_strategy | bool - kernel_module_jffs2_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86766-3 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_jffs2_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'jffs2' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/jffs2.conf regexp: ^blacklist jffs2$ line: blacklist jffs2 when: - disable_strategy | bool - kernel_module_jffs2_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86766-3 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_jffs2_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'squashfs' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/squashfs.conf regexp: install\s+squashfs line: install squashfs /bin/false when: - disable_strategy | bool - kernel_module_squashfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83855-7 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_squashfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'squashfs' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/squashfs.conf regexp: ^blacklist squashfs$ line: blacklist squashfs when: - disable_strategy | bool - kernel_module_squashfs_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83855-7 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_squashfs_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'udf' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/udf.conf regexp: install\s+udf line: install udf /bin/false when: - disable_strategy | bool - kernel_module_udf_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83852-4 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_udf_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'udf' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/udf.conf regexp: ^blacklist udf$ line: blacklist udf when: - disable_strategy | bool - kernel_module_udf_disabled | bool - low_complexity | bool - low_severity | bool - medium_disruption | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83852-4 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - kernel_module_udf_disabled - low_complexity - low_severity - medium_disruption - reboot_required - name: Ensure kernel module 'usb-storage' is disabled ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/usb-storage.conf regexp: install\s+usb-storage line: install usb-storage /bin/false when: - DISA_STIG_RHEL_09_291010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83851-6 - DISA-STIG-RHEL-09-291010 - NIST-800-171-3.1.21 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - disable_strategy - kernel_module_usb-storage_disabled - low_complexity - medium_disruption - medium_severity - reboot_required - name: Ensure kernel module 'usb-storage' is blacklisted ansible.builtin.lineinfile: create: true dest: /etc/modprobe.d/usb-storage.conf regexp: ^blacklist usb-storage$ line: blacklist usb-storage when: - DISA_STIG_RHEL_09_291010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83851-6 - DISA-STIG-RHEL-09-291010 - NIST-800-171-3.1.21 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - PCI-DSSv4-3.4 - PCI-DSSv4-3.4.2 - disable_strategy - kernel_module_usb-storage_disabled - low_complexity - medium_disruption - medium_severity - reboot_required - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231110 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83881-3 - DISA-STIG-RHEL-09-231110 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nodev - no_reboot_needed - name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231110 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83881-3 - DISA-STIG-RHEL-09-231110 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nodev - no_reboot_needed - name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /dev/shm - tmpfs - tmpfs - defaults when: - DISA_STIG_RHEL_09_231110 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83881-3 - DISA-STIG-RHEL-09-231110 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nodev - no_reboot_needed - name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - DISA_STIG_RHEL_09_231110 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83881-3 - DISA-STIG-RHEL-09-231110 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nodev - no_reboot_needed - name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option' mount: path: /dev/shm src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231110 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: - CCE-83881-3 - DISA-STIG-RHEL-09-231110 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nodev - no_reboot_needed - name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231115 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83857-3 - DISA-STIG-RHEL-09-231115 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_noexec - no_reboot_needed - name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231115 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83857-3 - DISA-STIG-RHEL-09-231115 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_noexec - no_reboot_needed - name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /dev/shm - tmpfs - tmpfs - defaults when: - DISA_STIG_RHEL_09_231115 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83857-3 - DISA-STIG-RHEL-09-231115 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_noexec - no_reboot_needed - name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to /dev/shm options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - DISA_STIG_RHEL_09_231115 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83857-3 - DISA-STIG-RHEL-09-231115 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_noexec - no_reboot_needed - name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option' mount: path: /dev/shm src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231115 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: - CCE-83857-3 - DISA-STIG-RHEL-09-231115 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_noexec - no_reboot_needed - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint' command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231120 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) tags: - CCE-83891-2 - DISA-STIG-RHEL-09-231120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nosuid - no_reboot_needed - name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231120 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83891-2 - DISA-STIG-RHEL-09-231120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nosuid - no_reboot_needed - name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /dev/shm - tmpfs - tmpfs - defaults when: - DISA_STIG_RHEL_09_231120 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - ("" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83891-2 - DISA-STIG-RHEL-09-231120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nosuid - no_reboot_needed - name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to /dev/shm options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - DISA_STIG_RHEL_09_231120 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83891-2 - DISA-STIG-RHEL-09-231120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nosuid - no_reboot_needed - name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option' mount: path: /dev/shm src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231120 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: - CCE-83891-2 - DISA-STIG-RHEL-09-231120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_dev_shm_nosuid - no_reboot_needed - name: 'Add nodev Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231045 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83871-4 - DISA-STIG-RHEL-09-231045 - configure_strategy - high_disruption - low_complexity - mount_option_home_nodev - no_reboot_needed - unknown_severity - name: 'Add nodev Option to /home: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231045 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83871-4 - DISA-STIG-RHEL-09-231045 - configure_strategy - high_disruption - low_complexity - mount_option_home_nodev - no_reboot_needed - unknown_severity - name: 'Add nodev Option to /home: If /home not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /home - '' - '' - defaults when: - DISA_STIG_RHEL_09_231045 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83871-4 - DISA-STIG-RHEL-09-231045 - configure_strategy - high_disruption - low_complexity - mount_option_home_nodev - no_reboot_needed - unknown_severity - name: 'Add nodev Option to /home: Make sure nodev option is part of the to /home options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - DISA_STIG_RHEL_09_231045 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83871-4 - DISA-STIG-RHEL-09-231045 - configure_strategy - high_disruption - low_complexity - mount_option_home_nodev - no_reboot_needed - unknown_severity - name: 'Add nodev Option to /home: Ensure /home is mounted with nodev option' mount: path: /home src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231045 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - mount_option_home_nodev | bool - no_reboot_needed | bool - unknown_severity | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83871-4 - DISA-STIG-RHEL-09-231045 - configure_strategy - high_disruption - low_complexity - mount_option_home_nodev - no_reboot_needed - unknown_severity - name: 'Add nosuid Option to /home: Check information associated to mountpoint' command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83894-6 - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_home_nosuid - no_reboot_needed - name: 'Add nosuid Option to /home: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83894-6 - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_home_nosuid - no_reboot_needed - name: 'Add nosuid Option to /home: If /home not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /home - '' - '' - defaults when: - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83894-6 - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_home_nosuid - no_reboot_needed - name: 'Add nosuid Option to /home: Make sure nosuid option is part of the to /home options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83894-6 - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_home_nosuid - no_reboot_needed - name: 'Add nosuid Option to /home: Ensure /home is mounted with nosuid option' mount: path: /home src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_home_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/home" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83894-6 - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_home_nosuid - no_reboot_needed - name: 'Add nodev Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231125 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83869-8 - DISA-STIG-RHEL-09-231125 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /tmp: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231125 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83869-8 - DISA-STIG-RHEL-09-231125 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /tmp: If /tmp not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /tmp - '' - '' - defaults when: - DISA_STIG_RHEL_09_231125 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83869-8 - DISA-STIG-RHEL-09-231125 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /tmp: Make sure nodev option is part of the to /tmp options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - DISA_STIG_RHEL_09_231125 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83869-8 - DISA-STIG-RHEL-09-231125 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /tmp: Ensure /tmp is mounted with nodev option' mount: path: /tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231125 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83869-8 - DISA-STIG-RHEL-09-231125 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nodev - no_reboot_needed - name: 'Add noexec Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83885-4 - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /tmp: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83885-4 - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /tmp: If /tmp not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /tmp - '' - '' - defaults when: - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83885-4 - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /tmp: Make sure noexec option is part of the to /tmp options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83885-4 - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /tmp: Ensure /tmp is mounted with noexec option' mount: path: /tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83885-4 - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_noexec - no_reboot_needed - name: 'Add nosuid Option to /tmp: Check information associated to mountpoint' command: findmnt --fstab '/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83872-2 - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /tmp: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83872-2 - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /tmp: If /tmp not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /tmp - '' - '' - defaults when: - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83872-2 - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /tmp: Make sure nosuid option is part of the to /tmp options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83872-2 - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /tmp: Ensure /tmp is mounted with nosuid option' mount: path: /tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83872-2 - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_tmp_nosuid - no_reboot_needed - name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231160 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83882-1 - DISA-STIG-RHEL-09-231160 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log/audit: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231160 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83882-1 - DISA-STIG-RHEL-09-231160 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log/audit: If /var/log/audit not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/log/audit - '' - '' - defaults when: - DISA_STIG_RHEL_09_231160 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83882-1 - DISA-STIG-RHEL-09-231160 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log/audit: Make sure nodev option is part of the to /var/log/audit options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - DISA_STIG_RHEL_09_231160 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83882-1 - DISA-STIG-RHEL-09-231160 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log/audit: Ensure /var/log/audit is mounted with nodev option' mount: path: /var/log/audit src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231160 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83882-1 - DISA-STIG-RHEL-09-231160 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nodev - no_reboot_needed - name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231165 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83878-9 - DISA-STIG-RHEL-09-231165 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log/audit: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231165 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83878-9 - DISA-STIG-RHEL-09-231165 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log/audit: If /var/log/audit not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/log/audit - '' - '' - defaults when: - DISA_STIG_RHEL_09_231165 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83878-9 - DISA-STIG-RHEL-09-231165 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log/audit: Make sure noexec option is part of the to /var/log/audit options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - DISA_STIG_RHEL_09_231165 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83878-9 - DISA-STIG-RHEL-09-231165 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log/audit: Ensure /var/log/audit is mounted with noexec option' mount: path: /var/log/audit src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231165 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83878-9 - DISA-STIG-RHEL-09-231165 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_noexec - no_reboot_needed - name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint' command: findmnt --fstab '/var/log/audit' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231170 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83893-8 - DISA-STIG-RHEL-09-231170 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log/audit: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231170 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83893-8 - DISA-STIG-RHEL-09-231170 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log/audit: If /var/log/audit not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/log/audit - '' - '' - defaults when: - DISA_STIG_RHEL_09_231170 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83893-8 - DISA-STIG-RHEL-09-231170 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log/audit: Make sure nosuid option is part of the to /var/log/audit options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - DISA_STIG_RHEL_09_231170 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83893-8 - DISA-STIG-RHEL-09-231170 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log/audit: Ensure /var/log/audit is mounted with nosuid option' mount: path: /var/log/audit src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231170 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83893-8 - DISA-STIG-RHEL-09-231170 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_audit_nosuid - no_reboot_needed - name: 'Add nodev Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231145 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83886-2 - DISA-STIG-RHEL-09-231145 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231145 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83886-2 - DISA-STIG-RHEL-09-231145 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log: If /var/log not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/log - '' - '' - defaults when: - DISA_STIG_RHEL_09_231145 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83886-2 - DISA-STIG-RHEL-09-231145 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log: Make sure nodev option is part of the to /var/log options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - DISA_STIG_RHEL_09_231145 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83886-2 - DISA-STIG-RHEL-09-231145 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nodev - no_reboot_needed - name: 'Add nodev Option to /var/log: Ensure /var/log is mounted with nodev option' mount: path: /var/log src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231145 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83886-2 - DISA-STIG-RHEL-09-231145 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nodev - no_reboot_needed - name: 'Add noexec Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83887-0 - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83887-0 - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log: If /var/log not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/log - '' - '' - defaults when: - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83887-0 - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log: Make sure noexec option is part of the to /var/log options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83887-0 - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_noexec - no_reboot_needed - name: 'Add noexec Option to /var/log: Ensure /var/log is mounted with noexec option' mount: path: /var/log src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83887-0 - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_noexec - no_reboot_needed - name: 'Add nosuid Option to /var/log: Check information associated to mountpoint' command: findmnt --fstab '/var/log' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83870-6 - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83870-6 - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log: If /var/log not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/log - '' - '' - defaults when: - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83870-6 - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log: Make sure nosuid option is part of the to /var/log options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83870-6 - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/log: Ensure /var/log is mounted with nosuid option' mount: path: /var/log src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/log" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83870-6 - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_log_nosuid - no_reboot_needed - name: 'Add nodev Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231140 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83868-0 - DISA-STIG-RHEL-09-231140 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nodev - no_reboot_needed - name: 'Add nodev Option to /var: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231140 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83868-0 - DISA-STIG-RHEL-09-231140 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nodev - no_reboot_needed - name: 'Add nodev Option to /var: If /var not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var - '' - '' - defaults when: - DISA_STIG_RHEL_09_231140 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83868-0 - DISA-STIG-RHEL-09-231140 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nodev - no_reboot_needed - name: 'Add nodev Option to /var: Make sure nodev option is part of the to /var options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - DISA_STIG_RHEL_09_231140 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83868-0 - DISA-STIG-RHEL-09-231140 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nodev - no_reboot_needed - name: 'Add nodev Option to /var: Ensure /var is mounted with nodev option' mount: path: /var src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231140 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83868-0 - DISA-STIG-RHEL-09-231140 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nodev - no_reboot_needed - name: 'Add nosuid Option to /var: Check information associated to mountpoint' command: findmnt --fstab '/var' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83867-2 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83867-2 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var: If /var not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var - '' - '' - defaults when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83867-2 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var: Make sure nosuid option is part of the to /var options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83867-2 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var: Ensure /var is mounted with nosuid option' mount: path: /var src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83867-2 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_nosuid - no_reboot_needed - name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231175 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83864-9 - DISA-STIG-RHEL-09-231175 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /var/tmp: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231175 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83864-9 - DISA-STIG-RHEL-09-231175 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/tmp - '' - '' - defaults when: - DISA_STIG_RHEL_09_231175 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83864-9 - DISA-STIG-RHEL-09-231175 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /var/tmp: Make sure nodev option is part of the to /var/tmp options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - DISA_STIG_RHEL_09_231175 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nodev" not in mount_info.options tags: - CCE-83864-9 - DISA-STIG-RHEL-09-231175 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nodev - no_reboot_needed - name: 'Add nodev Option to /var/tmp: Ensure /var/tmp is mounted with nodev option' mount: path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231175 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nodev | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83864-9 - DISA-STIG-RHEL-09-231175 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nodev - no_reboot_needed - name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83866-4 - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /var/tmp: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83866-4 - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/tmp - '' - '' - defaults when: - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83866-4 - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /var/tmp: Make sure noexec option is part of the to /var/tmp options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83866-4 - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_noexec - no_reboot_needed - name: 'Add noexec Option to /var/tmp: Ensure /var/tmp is mounted with noexec option' mount: path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83866-4 - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_noexec - no_reboot_needed - name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' tags: - CCE-83863-1 - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/tmp: Create mount_info dictionary variable' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - CCE-83863-1 - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually' set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - - target - source - fstype - options - - /var/tmp - '' - '' - defaults when: - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - ("--fstab" | length == 0) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83863-1 - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/tmp: Make sure nosuid option is part of the to /var/tmp options' set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83863-1 - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nosuid - no_reboot_needed - name: 'Add nosuid Option to /var/tmp: Ensure /var/tmp is mounted with nosuid option' mount: path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted fstype: '{{ mount_info.fstype }}' when: - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) ) - '"/var/tmp" in ansible_mounts | map(attribute="mount") | list' - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83863-1 - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity - medium_severity - mount_option_var_tmp_nosuid - no_reboot_needed - name: Restrict usage of ptrace to descendant processes - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_yama_ptrace_scope - name: Restrict usage of ptrace to descendant processes - Find all files that contain kernel.yama.ptrace_scope ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.yama.ptrace_scope\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_yama_ptrace_scope - name: Restrict usage of ptrace to descendant processes - Find all files that set kernel.yama.ptrace_scope to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.yama.ptrace_scope\s*=\s*1$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_yama_ptrace_scope - name: Restrict usage of ptrace to descendant processes - Comment out any occurrences of kernel.yama.ptrace_scope from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*kernel.yama.ptrace_scope replace: '#kernel.yama.ptrace_scope' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_yama_ptrace_scope - name: Restrict usage of ptrace to descendant processes - Ensure sysctl kernel.yama.ptrace_scope is set to 1 ansible.posix.sysctl: name: kernel.yama.ptrace_scope value: '1' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_yama_ptrace_scope | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83965-4 - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_yama_ptrace_scope - name: Disable core dump backtraces - Search for a section in files ansible.builtin.find: paths: '{{item.path}}' patterns: '{{item.pattern}}' contains: ^\s*\[Coredump\] read_whole_file: true use_regex: true register: systemd_dropin_files_with_section loop: - path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}' pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}' - path: /etc/systemd/coredump.conf.d pattern: .*\.conf when: - DISA_STIG_RHEL_09_213085 | bool - coredump_disable_backtraces | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83984-5 - DISA-STIG-RHEL-09-213085 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_backtraces - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable core dump backtraces - Count number of files which contain the correct section ansible.builtin.set_fact: count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'') | list | map(''int'') | sum}}' when: - DISA_STIG_RHEL_09_213085 | bool - coredump_disable_backtraces | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83984-5 - DISA-STIG-RHEL-09-213085 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_backtraces - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable core dump backtraces - Add missing configuration to correct section community.general.ini_file: path: '{{item}}' section: Coredump option: ProcessSizeMax value: '0' state: present no_extra_spaces: true when: - DISA_STIG_RHEL_09_213085 | bool - coredump_disable_backtraces | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list }}' tags: - CCE-83984-5 - DISA-STIG-RHEL-09-213085 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_backtraces - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable core dump backtraces - Add configuration to new remediation file community.general.ini_file: path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf section: Coredump option: ProcessSizeMax value: '0' state: present no_extra_spaces: true create: true when: - DISA_STIG_RHEL_09_213085 | bool - coredump_disable_backtraces | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: - CCE-83984-5 - DISA-STIG-RHEL-09-213085 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_backtraces - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable storing core dump - Search for a section in files ansible.builtin.find: paths: '{{item.path}}' patterns: '{{item.pattern}}' contains: ^\s*\[Coredump\] read_whole_file: true use_regex: true register: systemd_dropin_files_with_section loop: - path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}' pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}' - path: /etc/systemd/coredump.conf.d pattern: .*\.conf when: - DISA_STIG_RHEL_09_213090 | bool - coredump_disable_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83979-5 - DISA-STIG-RHEL-09-213090 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable storing core dump - Count number of files which contain the correct section ansible.builtin.set_fact: count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'') | list | map(''int'') | sum}}' when: - DISA_STIG_RHEL_09_213090 | bool - coredump_disable_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' tags: - CCE-83979-5 - DISA-STIG-RHEL-09-213090 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable storing core dump - Add missing configuration to correct section community.general.ini_file: path: '{{item}}' section: Coredump option: Storage value: none state: present no_extra_spaces: true when: - DISA_STIG_RHEL_09_213090 | bool - coredump_disable_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int > 0 loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list }}' tags: - CCE-83979-5 - DISA-STIG-RHEL-09-213090 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable storing core dump - Add configuration to new remediation file community.general.ini_file: path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf section: Coredump option: Storage value: none state: present no_extra_spaces: true create: true when: - DISA_STIG_RHEL_09_213090 | bool - coredump_disable_storage | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"systemd" in ansible_facts.packages' - count_of_systemd_dropin_files_with_section | int == 0 tags: - CCE-83979-5 - DISA-STIG-RHEL-09-213090 - NIST-800-53-CM-6 - PCI-DSS-Req-3.2 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - coredump_disable_storage - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Enable Randomized Layout of Virtual Address Space - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_randomize_va_space - name: Enable Randomized Layout of Virtual Address Space - Find all files that contain kernel.randomize_va_space ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.randomize_va_space\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_randomize_va_space - name: Enable Randomized Layout of Virtual Address Space - Find all files that set kernel.randomize_va_space to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.randomize_va_space\s*=\s*2$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_randomize_va_space - name: Enable Randomized Layout of Virtual Address Space - Comment out any occurrences of kernel.randomize_va_space from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*kernel.randomize_va_space replace: '#kernel.randomize_va_space' loop: '{{ find_all_values.stdout_lines }}' when: - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_randomize_va_space - name: Enable Randomized Layout of Virtual Address Space - Ensure sysctl kernel.randomize_va_space is set to 2 ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' sysctl_file: /etc/sysctl.conf state: present reload: true when: - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool - sysctl_kernel_randomize_va_space | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-83971-2 - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - PCI-DSSv4-3.3 - PCI-DSSv4-3.3.1 - PCI-DSSv4-3.3.1.1 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_kernel_randomize_va_space - name: Ensure SELinux Not Disabled in /etc/default/grub - Find /etc/grub.d/ files ansible.builtin.find: paths: - /etc/grub.d/ follow: true register: result_grub_d when: - grub2_enable_selinux | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - grub2_enable_selinux - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled in /etc/grub.d/ files ansible.builtin.replace: dest: '{{ item.path }}' regexp: (selinux|enforcing)=0 with_items: - '{{ result_grub_d.files }}' when: - grub2_enable_selinux | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - grub2_enable_selinux - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/grub2.cfg exists ansible.builtin.stat: path: /etc/grub2.cfg register: result_grub2_cfg_present when: - grub2_enable_selinux | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - grub2_enable_selinux - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/default/grub exists ansible.builtin.stat: path: /etc/default/grub register: result_default_grub_present when: - grub2_enable_selinux | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-84078-5 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - grub2_enable_selinux - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled in /etc/grub2.cfg ansible.builtin.replace: dest: /etc/grub2.cfg regexp: (selinux|enforcing)=0 when: - grub2_enable_selinux | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' - result_grub2_cfg_present.stat.exists tags: - CCE-84078-5 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - grub2_enable_selinux - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled in /etc/default/grub ansible.builtin.replace: dest: /etc/default/grub regexp: (selinux|enforcing)=0 when: - grub2_enable_selinux | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' - result_default_grub_present.stat.exists tags: - CCE-84078-5 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - grub2_enable_selinux - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure SELinux is Not Disabled - Check current SELinux state ansible.builtin.command: cmd: getenforce register: selinux_state check_mode: false changed_when: false when: - high_severity | bool - low_complexity | bool - low_disruption | bool - reboot_required | bool - restrict_strategy | bool - selinux_not_disabled | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86152-6 - high_severity - low_complexity - low_disruption - reboot_required - restrict_strategy - selinux_not_disabled - name: Ensure SELinux is Not Disabled block: - name: Check for duplicate values ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= state: absent check_mode: true changed_when: false register: dupes - name: Deduplicate values from /etc/selinux/config ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= line: SELINUX=permissive state: present when: - high_severity | bool - low_complexity | bool - low_disruption | bool - reboot_required | bool - restrict_strategy | bool - selinux_not_disabled | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86152-6 - high_severity - low_complexity - low_disruption - reboot_required - restrict_strategy - selinux_not_disabled - name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next boot ansible.builtin.file: path: /.autorelabel state: touch access_time: preserve modification_time: preserve when: - high_severity | bool - low_complexity | bool - low_disruption | bool - reboot_required | bool - restrict_strategy | bool - selinux_not_disabled | bool - '"kernel-core" in ansible_facts.packages' - selinux_state.stdout | lower != "permissive" tags: - CCE-86152-6 - high_severity - low_complexity - low_disruption - reboot_required - restrict_strategy - selinux_not_disabled - name: Configure SELinux Policy block: - name: Check for duplicate values ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUXTYPE= state: absent check_mode: true changed_when: false register: dupes - name: Deduplicate values from /etc/selinux/config ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUXTYPE= state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUXTYPE= line: SELINUXTYPE={{ var_selinux_policy_name }} state: present when: - DISA_STIG_RHEL_09_431015 | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - selinux_policytype | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84074-4 - DISA-STIG-RHEL-09-431015 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - selinux_policytype - name: Ensure SELinux State is Enforcing - Check current SELinux state ansible.builtin.command: cmd: getenforce register: selinux_state check_mode: false changed_when: false when: - DISA_STIG_RHEL_09_431010 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - selinux_state | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84079-3 - DISA-STIG-RHEL-09-431010 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - selinux_state - name: Ensure SELinux State is Enforcing block: - name: Check for duplicate values ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= state: absent check_mode: true changed_when: false register: dupes - name: Deduplicate values from /etc/selinux/config ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config ansible.builtin.lineinfile: path: /etc/selinux/config create: true regexp: (?i)^SELINUX= line: SELINUX={{ var_selinux_state }} state: present when: - DISA_STIG_RHEL_09_431010 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - selinux_state | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84079-3 - DISA-STIG-RHEL-09-431010 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - selinux_state - name: Ensure SELinux State is Enforcing - Mark system to relabel SELinux on next boot ansible.builtin.file: path: /.autorelabel state: touch access_time: preserve modification_time: preserve when: - DISA_STIG_RHEL_09_431010 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - selinux_state | bool - '"kernel-core" in ansible_facts.packages' - selinux_state.stdout | lower != var_selinux_state tags: - CCE-84079-3 - DISA-STIG-RHEL-09-431010 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) - PCI-DSSv4-1.2 - PCI-DSSv4-1.2.6 - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - selinux_state - name: Set the file_groupowner_cron_d_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_cron_d_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_d | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84177-5 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_d - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/cron.d/ ansible.builtin.file: path: /etc/cron.d/ follow: false state: directory group: '{{ file_groupowner_cron_d_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_d | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84177-5 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_d - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_cron_daily_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_cron_daily_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_daily | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84170-0 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_daily - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/cron.daily/ ansible.builtin.file: path: /etc/cron.daily/ follow: false state: directory group: '{{ file_groupowner_cron_daily_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_daily | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84170-0 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_daily - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_cron_hourly_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_cron_hourly_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_hourly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84186-6 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_hourly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/cron.hourly/ ansible.builtin.file: path: /etc/cron.hourly/ follow: false state: directory group: '{{ file_groupowner_cron_hourly_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_hourly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84186-6 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_hourly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_cron_monthly_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_cron_monthly_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_monthly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84189-0 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_monthly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/cron.monthly/ ansible.builtin.file: path: /etc/cron.monthly/ follow: false state: directory group: '{{ file_groupowner_cron_monthly_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_monthly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84189-0 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_monthly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_cron_weekly_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_cron_weekly_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_weekly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84174-2 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_weekly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/cron.weekly/ ansible.builtin.file: path: /etc/cron.weekly/ follow: false state: directory group: '{{ file_groupowner_cron_weekly_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_cron_weekly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84174-2 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_weekly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_crontab_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_crontab_newgroup: '0' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84171-8 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/crontab ansible.builtin.stat: path: /etc/crontab register: file_exists when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84171-8 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/crontab ansible.builtin.file: path: /etc/crontab follow: false group: '{{ file_groupowner_crontab_newgroup }}' when: - DISA_STIG_RHEL_09_232235 | bool - configure_strategy | bool - file_groupowner_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-84171-8 - DISA-STIG-RHEL-09-232235 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_cron_d_newown variable if represented by uid ansible.builtin.set_fact: file_owner_cron_d_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_d | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84169-2 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_d - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on directory /etc/cron.d/ ansible.builtin.file: path: /etc/cron.d/ follow: false state: directory owner: '{{ file_owner_cron_d_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_d | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84169-2 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_d - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_cron_daily_newown variable if represented by uid ansible.builtin.set_fact: file_owner_cron_daily_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_daily | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84188-2 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_daily - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on directory /etc/cron.daily/ ansible.builtin.file: path: /etc/cron.daily/ follow: false state: directory owner: '{{ file_owner_cron_daily_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_daily | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84188-2 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_daily - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_cron_hourly_newown variable if represented by uid ansible.builtin.set_fact: file_owner_cron_hourly_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_hourly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84168-4 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_hourly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on directory /etc/cron.hourly/ ansible.builtin.file: path: /etc/cron.hourly/ follow: false state: directory owner: '{{ file_owner_cron_hourly_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_hourly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84168-4 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_hourly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_cron_monthly_newown variable if represented by uid ansible.builtin.set_fact: file_owner_cron_monthly_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_monthly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84179-1 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_monthly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on directory /etc/cron.monthly/ ansible.builtin.file: path: /etc/cron.monthly/ follow: false state: directory owner: '{{ file_owner_cron_monthly_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_monthly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84179-1 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_monthly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_cron_weekly_newown variable if represented by uid ansible.builtin.set_fact: file_owner_cron_weekly_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_weekly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84190-8 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_weekly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on directory /etc/cron.weekly/ ansible.builtin.file: path: /etc/cron.weekly/ follow: false state: directory owner: '{{ file_owner_cron_weekly_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_cron_weekly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84190-8 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_weekly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_crontab_newown variable if represented by uid ansible.builtin.set_fact: file_owner_crontab_newown: '0' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84167-6 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/crontab ansible.builtin.stat: path: /etc/crontab register: file_exists when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84167-6 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /etc/crontab ansible.builtin.file: path: /etc/crontab follow: false owner: '{{ file_owner_crontab_newown }}' when: - DISA_STIG_RHEL_09_232230 | bool - configure_strategy | bool - file_owner_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-84167-6 - DISA-STIG-RHEL-09-232230 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/cron.d/ file(s) ansible.builtin.command: 'find -P /etc/cron.d/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_d | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84183-3 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_d - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/cron.d/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_d | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84183-3 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_d - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/cron.daily/ file(s) ansible.builtin.command: 'find -P /etc/cron.daily/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_daily | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84175-9 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_daily - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/cron.daily/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_daily | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84175-9 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_daily - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/cron.hourly/ file(s) ansible.builtin.command: 'find -P /etc/cron.hourly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_hourly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84173-4 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_hourly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/cron.hourly/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_hourly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84173-4 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_hourly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/cron.monthly/ file(s) ansible.builtin.command: 'find -P /etc/cron.monthly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_monthly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84181-7 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_monthly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/cron.monthly/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_monthly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84181-7 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_monthly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/cron.weekly/ file(s) ansible.builtin.command: 'find -P /etc/cron.weekly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d ' register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_weekly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84187-4 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_weekly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/cron.weekly/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt state: directory with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232040 | bool - configure_strategy | bool - file_permissions_cron_weekly | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84187-4 - DISA-STIG-RHEL-09-232040 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_weekly - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/crontab ansible.builtin.stat: path: /etc/crontab register: file_exists when: - configure_strategy | bool - file_permissions_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84176-7 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/crontab ansible.builtin.file: path: /etc/crontab mode: u-xs,g-xwrs,o-xwrt when: - configure_strategy | bool - file_permissions_crontab | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-84176-7 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_crontab - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure that /etc/at.allow exists - Add empty /etc/at.allow ansible.builtin.file: path: /etc/at.allow state: touch owner: '0' mode: '0640' modification_time: preserve access_time: preserve when: - disable_strategy | bool - file_at_allow_exists | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86856-2 - disable_strategy - file_at_allow_exists - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure that /etc/at.deny does not exist - Remove /etc/at.deny ansible.builtin.file: path: /etc/at.deny state: absent when: - disable_strategy | bool - file_at_deny_not_exist | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86946-1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - disable_strategy - file_at_deny_not_exist - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure that /etc/cron.allow exists - Add empty /etc/cron.allow ansible.builtin.file: path: /etc/cron.allow state: touch owner: '0' mode: '0600' modification_time: preserve access_time: preserve when: - disable_strategy | bool - file_cron_allow_exists | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86185-6 - disable_strategy - file_cron_allow_exists - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure that /etc/cron.deny does not exist - Remove /etc/cron.deny ansible.builtin.file: path: /etc/cron.deny state: absent when: - disable_strategy | bool - file_cron_deny_not_exist | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86850-5 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - disable_strategy - file_cron_deny_not_exist - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_at_allow_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_at_allow_newgroup: '0' when: - configure_strategy | bool - file_groupowner_at_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87103-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_at_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/at.allow ansible.builtin.stat: path: /etc/at.allow register: file_exists when: - configure_strategy | bool - file_groupowner_at_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87103-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_at_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/at.allow ansible.builtin.file: path: /etc/at.allow follow: false group: '{{ file_groupowner_at_allow_newgroup }}' when: - configure_strategy | bool - file_groupowner_at_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-87103-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_at_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_cron_allow_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_cron_allow_newgroup: '0' when: - configure_strategy | bool - file_groupowner_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86830-7 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/cron.allow ansible.builtin.stat: path: /etc/cron.allow register: file_exists when: - configure_strategy | bool - file_groupowner_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86830-7 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/cron.allow ansible.builtin.file: path: /etc/cron.allow follow: false group: '{{ file_groupowner_cron_allow_newgroup }}' when: - configure_strategy | bool - file_groupowner_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86830-7 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_cron_allow_newown variable if represented by uid ansible.builtin.set_fact: file_owner_cron_allow_newown: '0' when: - configure_strategy | bool - file_owner_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86844-8 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/cron.allow ansible.builtin.stat: path: /etc/cron.allow register: file_exists when: - configure_strategy | bool - file_owner_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86844-8 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /etc/cron.allow ansible.builtin.file: path: /etc/cron.allow follow: false owner: '{{ file_owner_cron_allow_newown }}' when: - configure_strategy | bool - file_owner_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86844-8 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/at.allow ansible.builtin.stat: path: /etc/at.allow register: file_exists when: - configure_strategy | bool - file_permissions_at_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86904-0 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_at_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-xs,g-xws,o-xwrt on /etc/at.allow ansible.builtin.file: path: /etc/at.allow mode: u-xs,g-xws,o-xwrt when: - configure_strategy | bool - file_permissions_at_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86904-0 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_at_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/cron.allow ansible.builtin.stat: path: /etc/cron.allow register: file_exists when: - configure_strategy | bool - file_permissions_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86877-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/cron.allow ansible.builtin.file: path: /etc/cron.allow mode: u-xs,g-xwrs,o-xwrt when: - configure_strategy | bool - file_permissions_cron_allow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86877-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_cron_allow - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Make changes to Postfix configuration file ansible.builtin.lineinfile: path: /etc/postfix/main.cf create: false regexp: (?i)^inet_interfaces\s*=\s.* line: inet_interfaces = {{ var_postfix_inet_interfaces }} state: present insertafter: ^inet_interfaces\s*=\s.* when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - postfix_network_listening_disabled | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"postfix" in ansible_facts.packages' - '"postfix" in ansible_facts.packages' tags: - CCE-90825-1 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-1.4 - PCI-DSSv4-1.4.2 - low_complexity - low_disruption - medium_severity - no_reboot_needed - postfix_network_listening_disabled - restrict_strategy - name: Detect if chrony is already configured with pools or servers ansible.builtin.find: path: /etc patterns: chrony.conf contains: ^[\s]*(?:server|pool)[\s]+[\w]+ register: chrony_servers when: - DISA_STIG_RHEL_09_252020 | bool - chronyd_specify_remote_server | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' tags: - CCE-84218-7 - DISA-STIG-RHEL-09-252020 - NIST-800-53-AU-8(1)(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.3 - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.2 - chronyd_specify_remote_server - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Configure remote time servers ansible.builtin.lineinfile: path: /etc/chrony.conf line: server {{ item }} state: present create: true loop: '{{ var_multiple_time_servers.split(",") }}' when: - DISA_STIG_RHEL_09_252020 | bool - chronyd_specify_remote_server | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' - chrony_servers.matched == 0 tags: - CCE-84218-7 - DISA-STIG-RHEL-09-252020 - NIST-800-53-AU-8(1)(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.3 - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.2 - chronyd_specify_remote_server - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Detect if file /etc/sysconfig/chronyd is not empty or missing ansible.builtin.find: path: /etc/sysconfig/ patterns: chronyd contains: ^([\s]*OPTIONS=["]?[^"]*)("?) register: chronyd_file when: - chronyd_run_as_chrony_user | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' tags: - CCE-84108-0 - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - chronyd_run_as_chrony_user - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Remove any previous configuration of user used to run chronyd process ansible.builtin.replace: path: /etc/sysconfig/chronyd regexp: \s*-u\s*\w+\s* replace: ' ' when: - chronyd_run_as_chrony_user | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - '"chrony" in ansible_facts.packages' - chronyd_file is defined and chronyd_file.matched > 0 tags: - CCE-84108-0 - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - chronyd_run_as_chrony_user - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Detect .rhosts files in users home directories ansible.builtin.find: paths: - /root - /home recurse: true patterns: .rhosts hidden: true file_type: file check_mode: false register: rhosts_locations when: - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - no_rsh_trust_files | bool - restrict_strategy | bool - '"rsh-server" in ansible_facts.packages' tags: - CCE-84145-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - high_severity - low_complexity - low_disruption - no_reboot_needed - no_rsh_trust_files - restrict_strategy - name: Remove .rhosts files ansible.builtin.file: path: '{{ item }}' state: absent with_items: '{{ rhosts_locations.files | map(attribute=''path'') | list }}' when: - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - no_rsh_trust_files | bool - restrict_strategy | bool - '"rsh-server" in ansible_facts.packages' - rhosts_locations is success tags: - CCE-84145-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - high_severity - low_complexity - low_disruption - no_reboot_needed - no_rsh_trust_files - restrict_strategy - name: Remove /etc/hosts.equiv file ansible.builtin.file: path: /etc/hosts.equiv state: absent when: - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - no_rsh_trust_files | bool - restrict_strategy | bool - '"rsh-server" in ansible_facts.packages' tags: - CCE-84145-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - high_severity - low_complexity - low_disruption - no_reboot_needed - no_rsh_trust_files - restrict_strategy - name: Set the file_groupowner_sshd_config_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_sshd_config_newgroup: '0' when: - DISA_STIG_RHEL_09_255105 | bool - configure_strategy | bool - file_groupowner_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90817-8 - DISA-STIG-RHEL-09-255105 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/ssh/sshd_config ansible.builtin.stat: path: /etc/ssh/sshd_config register: file_exists when: - DISA_STIG_RHEL_09_255105 | bool - configure_strategy | bool - file_groupowner_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90817-8 - DISA-STIG-RHEL-09-255105 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/ssh/sshd_config ansible.builtin.file: path: /etc/ssh/sshd_config follow: false group: '{{ file_groupowner_sshd_config_newgroup }}' when: - DISA_STIG_RHEL_09_255105 | bool - configure_strategy | bool - file_groupowner_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90817-8 - DISA-STIG-RHEL-09-255105 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Check that the ssh_keys group is defined ansible.builtin.getent: database: group key: ssh_keys ignore_errors: true when: - configure_strategy | bool - file_groupownership_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_groupownership_sshd_private_key_newgroup is undefined tags: - CCE-86127-8 - configure_strategy - file_groupownership_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupownership_sshd_private_key_newgroup variable if ssh_keys found ansible.builtin.set_fact: file_groupownership_sshd_private_key_newgroup: ssh_keys when: - configure_strategy | bool - file_groupownership_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - ansible_facts.getent_group["ssh_keys"] is defined tags: - CCE-86127-8 - configure_strategy - file_groupownership_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*_key$ ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended -regex "^.*_key$" register: files_found changed_when: false failed_when: false check_mode: false when: - configure_strategy | bool - file_groupownership_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86127-8 - configure_strategy - file_groupownership_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/ssh/ file(s) matching ^.*_key$ ansible.builtin.file: path: '{{ item }}' follow: false group: '{{ file_groupownership_sshd_private_key_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - configure_strategy | bool - file_groupownership_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86127-8 - configure_strategy - file_groupownership_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupownership_sshd_pub_key_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupownership_sshd_pub_key_newgroup: '0' when: - configure_strategy | bool - file_groupownership_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86136-9 - configure_strategy - file_groupownership_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false check_mode: false when: - configure_strategy | bool - file_groupownership_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86136-9 - configure_strategy - file_groupownership_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/ssh/ file(s) matching ^.*\.pub$ ansible.builtin.file: path: '{{ item }}' follow: false group: '{{ file_groupownership_sshd_pub_key_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - configure_strategy | bool - file_groupownership_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86136-9 - configure_strategy - file_groupownership_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_owner_sshd_config_newown variable if represented by uid ansible.builtin.set_fact: file_owner_sshd_config_newown: '0' when: - DISA_STIG_RHEL_09_255110 | bool - configure_strategy | bool - file_owner_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90821-0 - DISA-STIG-RHEL-09-255110 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_owner_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/ssh/sshd_config ansible.builtin.stat: path: /etc/ssh/sshd_config register: file_exists when: - DISA_STIG_RHEL_09_255110 | bool - configure_strategy | bool - file_owner_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90821-0 - DISA-STIG-RHEL-09-255110 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_owner_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /etc/ssh/sshd_config ansible.builtin.file: path: /etc/ssh/sshd_config follow: false owner: '{{ file_owner_sshd_config_newown }}' when: - DISA_STIG_RHEL_09_255110 | bool - configure_strategy | bool - file_owner_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90821-0 - DISA-STIG-RHEL-09-255110 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_owner_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_ownership_sshd_private_key_newown variable if represented by uid ansible.builtin.set_fact: file_ownership_sshd_private_key_newown: '0' when: - configure_strategy | bool - file_ownership_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86119-5 - configure_strategy - file_ownership_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*_key$ ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*_key$" register: files_found changed_when: false failed_when: false check_mode: false when: - configure_strategy | bool - file_ownership_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86119-5 - configure_strategy - file_ownership_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /etc/ssh/ file(s) matching ^.*_key$ ansible.builtin.file: path: '{{ item }}' follow: false owner: '{{ file_ownership_sshd_private_key_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - configure_strategy | bool - file_ownership_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86119-5 - configure_strategy - file_ownership_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_ownership_sshd_pub_key_newown variable if represented by uid ansible.builtin.set_fact: file_ownership_sshd_pub_key_newown: '0' when: - configure_strategy | bool - file_ownership_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86130-2 - configure_strategy - file_ownership_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/ssh/ file(s) matching ^.*\.pub$ ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false check_mode: false when: - configure_strategy | bool - file_ownership_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86130-2 - configure_strategy - file_ownership_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /etc/ssh/ file(s) matching ^.*\.pub$ ansible.builtin.file: path: '{{ item }}' follow: false owner: '{{ file_ownership_sshd_pub_key_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - configure_strategy | bool - file_ownership_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86130-2 - configure_strategy - file_ownership_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /etc/ssh/sshd_config ansible.builtin.stat: path: /etc/ssh/sshd_config register: file_exists when: - DISA_STIG_RHEL_09_255115 | bool - configure_strategy | bool - file_permissions_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90818-6 - DISA-STIG-RHEL-09-255115 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/ssh/sshd_config ansible.builtin.file: path: /etc/ssh/sshd_config mode: u-xs,g-xwrs,o-xwrt when: - DISA_STIG_RHEL_09_255115 | bool - configure_strategy | bool - file_permissions_sshd_config | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-90818-6 - DISA-STIG-RHEL-09-255115 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find root:root-owned keys ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group root -perm /u+xs,g+xwrs,o+xwrt register: root_owned_keys changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for root:root-owned keys ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xwrs,o-xwrt state: file with_items: - '{{ root_owned_keys.stdout_lines }}' when: - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find root:ssh_keys-owned keys ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group ssh_keys -perm /u+xs,g+xws,o+xwrt register: dedicated_group_owned_keys changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for root:ssh_keys-owned keys ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xws,o-xwrt state: file with_items: - '{{ dedicated_group_owned_keys.stdout_lines }}' when: - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90820-2 - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/ssh/ file(s) ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex "^.*\.pub$" register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_255125 | bool - configure_strategy | bool - file_permissions_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90819-4 - DISA-STIG-RHEL-09-255125 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/ssh/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xws,o-xwt state: file with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_255125 | bool - configure_strategy | bool - file_permissions_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90819-4 - DISA-STIG-RHEL-09-255125 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_sshd_pub_key - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set SSH Client Alive Count Max - Check if the parameter ClientAliveCountMax is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255095 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_keepalive | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90805-3 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255095 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_keepalive - name: Set SSH Client Alive Count Max - Check if the parameter ClientAliveCountMax is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+{{ var_sshd_set_keepalive }}$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255095 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_keepalive | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90805-3 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255095 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_keepalive - name: Set SSH Client Alive Count Max block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter ClientAliveCountMax is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+ line: ClientAliveCountMax {{ var_sshd_set_keepalive }} state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255095 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_keepalive | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90805-3 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255095 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_keepalive - name: Set SSH Client Alive Count Max - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255095 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_keepalive | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90805-3 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255095 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_keepalive - name: Set SSH Client Alive Interval - Check if the parameter ClientAliveInterval is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255100 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_idle_timeout | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90811-1 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255100 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_idle_timeout - name: Set SSH Client Alive Interval - Check if the parameter ClientAliveInterval is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+{{ sshd_idle_timeout_value }}$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255100 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_idle_timeout | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90811-1 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255100 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_idle_timeout - name: Set SSH Client Alive Interval block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter ClientAliveInterval is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+ line: ClientAliveInterval {{ sshd_idle_timeout_value }} state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255100 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_idle_timeout | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90811-1 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255100 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_idle_timeout - name: Set SSH Client Alive Interval - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255100 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_idle_timeout | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90811-1 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255100 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - PCI-DSSv4-8.2 - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_idle_timeout - name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255080 | bool - disable_host_auth | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90816-0 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255080 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-3 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.1 - disable_host_auth - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+no$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255080 | bool - disable_host_auth | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90816-0 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255080 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-3 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.1 - disable_host_auth - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable Host-Based Authentication block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter HostbasedAuthentication is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+ line: HostbasedAuthentication no state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255080 | bool - disable_host_auth | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90816-0 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255080 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-3 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.1 - disable_host_auth - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable Host-Based Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255080 | bool - disable_host_auth | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90816-0 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255080 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-AC-3 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-8.3 - PCI-DSSv4-8.3.1 - disable_host_auth - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255040 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_empty_passwords | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90799-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255040 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - sshd_disable_empty_passwords - name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+no$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255040 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_empty_passwords | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90799-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255040 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - sshd_disable_empty_passwords - name: Disable SSH Access via Empty Passwords block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter PermitEmptyPasswords is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+ line: PermitEmptyPasswords no state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255040 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_empty_passwords | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90799-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255040 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - sshd_disable_empty_passwords - name: Disable SSH Access via Empty Passwords - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255040 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_empty_passwords | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90799-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255040 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - sshd_disable_empty_passwords - name: Disable SSH Forwarding - Check if the parameter DisableForwarding is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_forwarding | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90197-5 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_forwarding - name: Disable SSH Forwarding - Check if the parameter DisableForwarding is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+yes$ register: _sshd_config_correctly when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_forwarding | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90197-5 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_forwarding - name: Disable SSH Forwarding block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter DisableForwarding is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+ line: DisableForwarding yes state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_forwarding | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90197-5 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_forwarding - name: Disable SSH Forwarding - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_forwarding | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90197-5 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_forwarding - name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255135 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_gssapi_auth | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90808-7 - DISA-STIG-RHEL-09-255135 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_gssapi_auth - name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+no$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255135 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_gssapi_auth | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90808-7 - DISA-STIG-RHEL-09-255135 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_gssapi_auth - name: Disable GSSAPI Authentication block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter GSSAPIAuthentication is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+ line: GSSAPIAuthentication no state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255135 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_gssapi_auth | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90808-7 - DISA-STIG-RHEL-09-255135 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_gssapi_auth - name: Disable GSSAPI Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255135 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_gssapi_auth | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90808-7 - DISA-STIG-RHEL-09-255135 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_gssapi_auth - name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255145 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_rhosts | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90797-2 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255145 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_rhosts - name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+yes$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255145 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_rhosts | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90797-2 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255145 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_rhosts - name: Disable SSH Support for .rhosts Files block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter IgnoreRhosts is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+ line: IgnoreRhosts yes state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255145 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_rhosts | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90797-2 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255145 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_rhosts - name: Disable SSH Support for .rhosts Files - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255145 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_rhosts | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90797-2 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255145 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_rhosts - name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255045 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_root_login | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90800-4 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255045 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(2) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_root_login - name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+no$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255045 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_root_login | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90800-4 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255045 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(2) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_root_login - name: Disable SSH Root Login block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter PermitRootLogin is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+ line: PermitRootLogin no state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255045 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_root_login | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90800-4 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255045 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(2) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_root_login - name: Disable SSH Root Login - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255045 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_disable_root_login | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90800-4 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255045 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(2) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_disable_root_login - name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255085 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_do_not_permit_user_env | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90803-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255085 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_do_not_permit_user_env - name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+no$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255085 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_do_not_permit_user_env | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90803-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255085 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_do_not_permit_user_env - name: Do Not Allow SSH Environment Options block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter PermitUserEnvironment is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf create: true regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+ line: PermitUserEnvironment no state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255085 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_do_not_permit_user_env | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90803-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255085 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_do_not_permit_user_env - name: Do Not Allow SSH Environment Options - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255085 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_do_not_permit_user_env | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90803-8 - CJIS-5.5.6 - DISA-STIG-RHEL-09-255085 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_do_not_permit_user_env - name: Enable PAM - Check if the parameter UsePAM is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255050 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_pam | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86722-6 - DISA-STIG-RHEL-09-255050 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_pam - name: Enable PAM - Check if the parameter UsePAM is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+yes$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255050 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_pam | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86722-6 - DISA-STIG-RHEL-09-255050 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_pam - name: Enable PAM block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter UsePAM is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+ line: UsePAM yes state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255050 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_pam | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86722-6 - DISA-STIG-RHEL-09-255050 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_pam - name: Enable PAM - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255050 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_pam | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86722-6 - DISA-STIG-RHEL-09-255050 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_pam - name: Enable SSH Warning Banner - Check if the parameter Banner is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_warning_banner_net | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87979-1 - CJIS-5.5.6 - NIST-800-171-3.1.9 - NIST-800-53-AC-17(a) - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner_net - name: Enable SSH Warning Banner - Check if the parameter Banner is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+/etc/issue.net$ register: _sshd_config_correctly when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_warning_banner_net | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87979-1 - CJIS-5.5.6 - NIST-800-171-3.1.9 - NIST-800-53-AC-17(a) - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner_net - name: Enable SSH Warning Banner block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+ line: Banner /etc/issue.net state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_warning_banner_net | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-87979-1 - CJIS-5.5.6 - NIST-800-171-3.1.9 - NIST-800-53-AC-17(a) - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner_net - name: Enable SSH Warning Banner - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_enable_warning_banner_net | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87979-1 - CJIS-5.5.6 - NIST-800-171-3.1.9 - NIST-800-53-AC-17(a) - NIST-800-53-AC-8(a) - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_enable_warning_banner_net - name: Ensure SSH LoginGraceTime is configured - Check if the parameter LoginGraceTime is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_login_grace_time | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86552-7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_login_grace_time - name: Ensure SSH LoginGraceTime is configured - Check if the parameter LoginGraceTime is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+{{ var_sshd_set_login_grace_time }}$ register: _sshd_config_correctly when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_login_grace_time | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86552-7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_login_grace_time - name: Ensure SSH LoginGraceTime is configured block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter LoginGraceTime is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+ line: LoginGraceTime {{ var_sshd_set_login_grace_time }} state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_login_grace_time | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86552-7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_login_grace_time - name: Ensure SSH LoginGraceTime is configured - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_login_grace_time | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86552-7 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_login_grace_time - name: Set SSH Daemon LogLevel to VERBOSE - Check if the parameter LogLevel is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - DISA_STIG_RHEL_09_255030 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_loglevel_verbose | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86923-0 - DISA-STIG-RHEL-09-255030 - NIST-800-53-AC-17(1) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_loglevel_verbose - name: Set SSH Daemon LogLevel to VERBOSE - Check if the parameter LogLevel is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+VERBOSE$ register: _sshd_config_correctly when: - DISA_STIG_RHEL_09_255030 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_loglevel_verbose | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86923-0 - DISA-STIG-RHEL-09-255030 - NIST-800-53-AC-17(1) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_loglevel_verbose - name: Set SSH Daemon LogLevel to VERBOSE block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter LogLevel is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+ line: LogLevel VERBOSE state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_09_255030 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_loglevel_verbose | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86923-0 - DISA-STIG-RHEL-09-255030 - NIST-800-53-AC-17(1) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_loglevel_verbose - name: Set SSH Daemon LogLevel to VERBOSE - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - DISA_STIG_RHEL_09_255030 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_loglevel_verbose | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86923-0 - DISA-STIG-RHEL-09-255030 - NIST-800-53-AC-17(1) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-2.2.4 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_loglevel_verbose - name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_auth_tries | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90810-3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_auth_tries - name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+{{ sshd_max_auth_tries_value }}$ register: _sshd_config_correctly when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_auth_tries | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90810-3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_auth_tries - name: Set SSH authentication attempt limit block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter MaxAuthTries is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+ line: MaxAuthTries {{ sshd_max_auth_tries_value }} state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_auth_tries | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-90810-3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_auth_tries - name: Set SSH authentication attempt limit - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_auth_tries | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-90810-3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_auth_tries - name: Set SSH MaxSessions limit - Check if the parameter MaxSessions is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_sessions | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84103-1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_sessions - name: Set SSH MaxSessions limit - Check if the parameter MaxSessions is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+{{ var_sshd_max_sessions }}$ register: _sshd_config_correctly when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_sessions | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84103-1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_sessions - name: Set SSH MaxSessions limit block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter MaxSessions is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+ line: MaxSessions {{ var_sshd_max_sessions }} state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_sessions | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-84103-1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_sessions - name: Set SSH MaxSessions limit - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_max_sessions | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84103-1 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_max_sessions - name: Ensure SSH MaxStartups is configured - Check if the parameter MaxStartups is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_maxstartups | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87872-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_maxstartups - name: Ensure SSH MaxStartups is configured - Check if the parameter MaxStartups is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+{{ var_sshd_set_maxstartups }}$ register: _sshd_config_correctly when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_maxstartups | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87872-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_maxstartups - name: Ensure SSH MaxStartups is configured block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter MaxStartups is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+ line: MaxStartups {{ var_sshd_set_maxstartups }} state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_maxstartups | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-87872-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_maxstartups - name: Ensure SSH MaxStartups is configured - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_set_maxstartups | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-87872-8 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_set_maxstartups - name: Use Only Strong Key Exchange algorithms - Check if the parameter KexAlgorithms is configured ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ register: _sshd_config_has_parameter when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_use_strong_kex | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86768-9 - PCI-DSS-Req-2.3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.7 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_use_strong_kex - name: Use Only Strong Key Exchange algorithms - Check if the parameter KexAlgorithms is configured correctly ansible.builtin.find: paths: - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+{{ sshd_strong_kex }}$ register: _sshd_config_correctly when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_use_strong_kex | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86768-9 - PCI-DSS-Req-2.3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.7 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_use_strong_kex - name: Use Only Strong Key Exchange algorithms block: - name: Deduplicate values from /etc/ssh/sshd_config ansible.builtin.lineinfile: path: /etc/ssh/sshd_config create: false regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ state: absent - name: Check if /etc/ssh/sshd_config.d exists ansible.builtin.stat: path: /etc/ssh/sshd_config.d register: _etc_ssh_sshd_config_d_exists - name: Check if the parameter KexAlgorithms is present in /etc/ssh/sshd_config.d ansible.builtin.find: paths: /etc/ssh/sshd_config.d recurse: 'yes' follow: 'no' contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ register: _etc_ssh_sshd_config_d_has_parameter when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir - name: Remove parameter from files in /etc/ssh/sshd_config.d ansible.builtin.lineinfile: path: '{{ item.path }}' create: false regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ state: absent with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}' when: _etc_ssh_sshd_config_d_has_parameter.matched - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf create: true regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+ line: KexAlgorithms {{ sshd_strong_kex }} state: present insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_use_strong_kex | bool - '"kernel-core" in ansible_facts.packages' - _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 tags: - CCE-86768-9 - PCI-DSS-Req-2.3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.7 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_use_strong_kex - name: Use Only Strong Key Exchange algorithms - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf ansible.builtin.file: path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf mode: '0600' state: touch modification_time: preserve access_time: preserve when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - sshd_use_strong_kex | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86768-9 - PCI-DSS-Req-2.3 - PCI-DSSv4-2.2 - PCI-DSSv4-2.2.7 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sshd_use_strong_kex - name: Switch to multi-user runlevel ansible.builtin.file: src: /usr/lib/systemd/system/multi-user.target dest: /etc/systemd/system/default.target state: link force: true when: - DISA_STIG_RHEL_09_211030 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - xwindows_runlevel_target | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-84105-6 - DISA-STIG-RHEL-09-211030 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - xwindows_runlevel_target - name: Check if audit argument is already present in /etc/default/grub ansible.builtin.slurp: src: /etc/default/grub register: etc_default_grub when: - DISA_STIG_RHEL_09_212055 | bool - grub2_audit_argument | bool - low_disruption | bool - low_severity | bool - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-83651-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-212055 - NIST-800-171-3.3.1 - NIST-800-53-AC-17(1) - NIST-800-53-AU-10 - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 - PCI-DSSv4-10.7 - PCI-DSSv4-10.7.2 - grub2_audit_argument - low_disruption - low_severity - medium_complexity - reboot_required - restrict_strategy - name: Check if audit argument is already present ansible.builtin.command: /sbin/grubby --info=ALL register: grubby_info check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_212055 | bool - grub2_audit_argument | bool - low_disruption | bool - low_severity | bool - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-83651-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-212055 - NIST-800-171-3.3.1 - NIST-800-53-AC-17(1) - NIST-800-53-AU-10 - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 - PCI-DSSv4-10.7 - PCI-DSSv4-10.7.2 - grub2_audit_argument - low_disruption - low_severity - medium_complexity - reboot_required - restrict_strategy - name: Update grub defaults and the bootloader menu ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit=1" when: - DISA_STIG_RHEL_09_212055 | bool - grub2_audit_argument | bool - low_disruption | bool - low_severity | bool - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' - (grubby_info.stdout is not search('audit=1')) or ((etc_default_grub['content'] | b64decode) is not search('audit=1')) tags: - CCE-83651-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-212055 - NIST-800-171-3.3.1 - NIST-800-53-AC-17(1) - NIST-800-53-AU-10 - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 - PCI-DSSv4-10.7 - PCI-DSSv4-10.7.2 - grub2_audit_argument - low_disruption - low_severity - medium_complexity - reboot_required - restrict_strategy - name: Check if audit_backlog_limit argument is already present in /etc/default/grub ansible.builtin.slurp: src: /etc/default/grub register: etc_default_grub when: - DISA_STIG_RHEL_09_653120 | bool - grub2_audit_backlog_limit_argument | bool - low_disruption | bool - low_severity | bool - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-83652-8 - DISA-STIG-RHEL-09-653120 - NIST-800-53-CM-6(a) - PCI-DSSv4-10.7 - PCI-DSSv4-10.7.2 - grub2_audit_backlog_limit_argument - low_disruption - low_severity - medium_complexity - reboot_required - restrict_strategy - name: Check if audit_backlog_limit argument is already present ansible.builtin.command: /sbin/grubby --info=ALL register: grubby_info check_mode: false changed_when: false failed_when: false when: - DISA_STIG_RHEL_09_653120 | bool - grub2_audit_backlog_limit_argument | bool - low_disruption | bool - low_severity | bool - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' tags: - CCE-83652-8 - DISA-STIG-RHEL-09-653120 - NIST-800-53-CM-6(a) - PCI-DSSv4-10.7 - PCI-DSSv4-10.7.2 - grub2_audit_backlog_limit_argument - low_disruption - low_severity - medium_complexity - reboot_required - restrict_strategy - name: Update grub defaults and the bootloader menu ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit={{ var_audit_backlog_limit }}" when: - DISA_STIG_RHEL_09_653120 | bool - grub2_audit_backlog_limit_argument | bool - low_disruption | bool - low_severity | bool - medium_complexity | bool - reboot_required | bool - restrict_strategy | bool - '"kernel-core" in ansible_facts.packages' - '"grub2-common" in ansible_facts.packages' - (grubby_info.stdout is not search('audit_backlog_limit=' ~ var_audit_backlog_limit)) or ((etc_default_grub['content'] | b64decode) is not search('audit_backlog_limit=' ~ var_audit_backlog_limit)) tags: - CCE-83652-8 - DISA-STIG-RHEL-09-653120 - NIST-800-53-CM-6(a) - PCI-DSSv4-10.7 - PCI-DSSv4-10.7.2 - grub2_audit_backlog_limit_argument - low_disruption - low_severity - medium_complexity - reboot_required - restrict_strategy - name: Make the auditd Configuration Immutable - Collect all files from /etc/audit/rules.d with .rules extension ansible.builtin.find: paths: /etc/audit/rules.d/ patterns: '*.rules' register: find_rules_d when: - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83716-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Make the auditd Configuration Immutable - Check if target files exist and get their content ansible.builtin.stat: path: '{{ item }}' register: audit_files_stat loop: - /etc/audit/audit.rules - /etc/audit/rules.d/immutable.rules when: - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83716-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Make the auditd Configuration Immutable - Read content of existing audit files ansible.builtin.slurp: src: '{{ item.item }}' register: audit_files_content loop: '{{ audit_files_stat.results }}' when: - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - item.stat.exists tags: - CCE-83716-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Make the auditd Configuration Immutable - Check if -e 2 is already correctly set in target files ansible.builtin.set_fact: immutable_correctly_set: "{{\n audit_files_content.results\n | selectattr('content', 'defined')\n | map(attribute='content')\n\ \ | map('b64decode')\n | select('search', '^-e 2$', multiline=True)\n | list\n | length == 2\n}}" when: - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83716-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Make the auditd Configuration Immutable - Remove any existing -e option from all Audit config files ansible.builtin.lineinfile: path: '{{ item }}' regexp: ^\s*-e\s+.*$ state: absent loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' when: - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not immutable_correctly_set tags: - CCE-83716-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Make the auditd Configuration Immutable - Ensure target directories exist ansible.builtin.file: path: '{{ item | dirname }}' state: directory mode: '0750' loop: - /etc/audit/audit.rules - /etc/audit/rules.d/immutable.rules when: - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not immutable_correctly_set tags: - CCE-83716-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Make the auditd Configuration Immutable - Add Audit -e 2 option to make rules immutable ansible.builtin.lineinfile: path: '{{ item }}' create: true line: -e 2 regexp: ^\s*-e\s+.*$ mode: g-rwx,o-rwx loop: - /etc/audit/audit.rules - /etc/audit/rules.d/immutable.rules when: - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not immutable_correctly_set tags: - CCE-83716-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_mac_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83721-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Search /etc/audit/rules.d for other rules with specified key MAC-policy ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)MAC-policy$ patterns: '*.rules' register: find_watch_key when: - audit_rules_mac_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/MAC-policy.rules when: - audit_rules_mac_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_mac_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/selinux/ -p wa -k MAC-policy create: true mode: '0600' when: - audit_rules_mac_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83721-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_mac_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83721-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/selinux/ -p wa -k MAC-policy state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_mac_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83721-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86343-1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - audit_rules_mac_modification_usr_share - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Search /etc/audit/rules.d for other rules with specified key MAC-policy ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)MAC-policy$ patterns: '*.rules' register: find_watch_key when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86343-1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - audit_rules_mac_modification_usr_share - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/MAC-policy.rules when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86343-1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - audit_rules_mac_modification_usr_share - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86343-1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - audit_rules_mac_modification_usr_share - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/ in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /usr/share/selinux/ -p wa -k MAC-policy create: true mode: '0600' when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86343-1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - audit_rules_mac_modification_usr_share - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/ already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86343-1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - audit_rules_mac_modification_usr_share - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/ in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /usr/share/selinux/ -p wa -k MAC-policy state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_mac_modification_usr_share | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86343-1 - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - audit_rules_mac_modification_usr_share - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set architecture for audit mount tasks ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_media_export | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83735-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for mount for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_media_export | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83735-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for mount for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/export.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - mount syscall_grouping: [] - name: Check existence of mount in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_media_export | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83735-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit tasks ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Remediate audit rules for network configuration for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - sethostname - setdomainname syscall_grouping: - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - sethostname - setdomainname syscall_grouping: - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Remediate audit rules for network configuration for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - sethostname - setdomainname syscall_grouping: - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - sethostname - setdomainname syscall_grouping: - sethostname - setdomainname - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' register: find_watch_key when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' register: find_watch_key when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' register: find_watch_key when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' register: find_watch_key when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_networkconfig_modification | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83706-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/hostname - Check if watch rule for /etc/hostname already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/hostname\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_networkconfig_modification_hostname_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86603-8 - audit_rules_networkconfig_modification_hostname_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/hostname - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification_hostname_file ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_hostname_file$ patterns: '*.rules' register: find_watch_key when: - audit_rules_networkconfig_modification_hostname_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86603-8 - audit_rules_networkconfig_modification_hostname_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/hostname - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_hostname_file.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification_hostname_file.rules when: - audit_rules_networkconfig_modification_hostname_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86603-8 - audit_rules_networkconfig_modification_hostname_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/hostname - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_networkconfig_modification_hostname_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86603-8 - audit_rules_networkconfig_modification_hostname_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/hostname - Add watch rule for /etc/hostname in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/hostname -p wa -k audit_rules_networkconfig_modification_hostname_file create: true mode: '0600' when: - audit_rules_networkconfig_modification_hostname_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86603-8 - audit_rules_networkconfig_modification_hostname_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/hostname - Check if watch rule for /etc/hostname already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/hostname\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification_hostname_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86603-8 - audit_rules_networkconfig_modification_hostname_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/hostname - Add watch rule for /etc/hostname in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/hostname -p wa -k audit_rules_networkconfig_modification_hostname_file state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_networkconfig_modification_hostname_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86603-8 - audit_rules_networkconfig_modification_hostname_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_networkconfig_modification_network_scripts | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification_network_scripts ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_network_scripts$ patterns: '*.rules' register: find_watch_key when: - audit_rules_networkconfig_modification_network_scripts | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules when: - audit_rules_networkconfig_modification_network_scripts | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_networkconfig_modification_network_scripts | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts create: true mode: '0600' when: - audit_rules_networkconfig_modification_network_scripts | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Check if watch rule for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification_network_scripts | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Add watch rule for /etc/sysconfig/network-scripts in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_networkconfig_modification_network_scripts | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86940-4 - audit_rules_networkconfig_modification_network_scripts - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Check if watch rule for /etc/NetworkManager already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/NetworkManager\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_networkconfig_modification_networkmanager | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86481-9 - audit_rules_networkconfig_modification_networkmanager - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification_networkmanager ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_networkmanager$ patterns: '*.rules' register: find_watch_key when: - audit_rules_networkconfig_modification_networkmanager | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86481-9 - audit_rules_networkconfig_modification_networkmanager - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_networkmanager.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_networkconfig_modification_networkmanager.rules when: - audit_rules_networkconfig_modification_networkmanager | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86481-9 - audit_rules_networkconfig_modification_networkmanager - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_networkconfig_modification_networkmanager | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86481-9 - audit_rules_networkconfig_modification_networkmanager - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Add watch rule for /etc/NetworkManager in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/NetworkManager -p wa -k audit_rules_networkconfig_modification_networkmanager create: true mode: '0600' when: - audit_rules_networkconfig_modification_networkmanager | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86481-9 - audit_rules_networkconfig_modification_networkmanager - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Check if watch rule for /etc/NetworkManager already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/NetworkManager\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_networkconfig_modification_networkmanager | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86481-9 - audit_rules_networkconfig_modification_networkmanager - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Add watch rule for /etc/NetworkManager in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/NetworkManager -p wa -k audit_rules_networkconfig_modification_networkmanager state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_networkconfig_modification_networkmanager | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86481-9 - audit_rules_networkconfig_modification_networkmanager - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86198-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Search /etc/audit/rules.d for other rules with specified key session ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' register: find_watch_key when: - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86198-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Use /etc/audit/rules.d/session.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/session.rules when: - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86198-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86198-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/btmp -p wa -k session create: true mode: '0600' when: - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86198-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86198-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /var/log/btmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_session_events_btmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86198-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_btmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86202-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Search /etc/audit/rules.d for other rules with specified key session ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' register: find_watch_key when: - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86202-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Use /etc/audit/rules.d/session.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/session.rules when: - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86202-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86202-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/run/utmp -p wa -k session create: true mode: '0600' when: - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86202-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86202-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /var/run/utmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_session_events_utmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86202-9 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_utmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86203-7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Search /etc/audit/rules.d for other rules with specified key session ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' register: find_watch_key when: - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86203-7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use /etc/audit/rules.d/session.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/session.rules when: - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86203-7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86203-7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/wtmp -p wa -k session create: true mode: '0600' when: - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86203-7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86203-7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /var/log/wtmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_session_events_wtmp | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86203-7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-12.1(iv) - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_session_events_wtmp - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Check the rules script being used ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service register: check_rules_scripts_result changed_when: false failed_when: false when: - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86368-8 - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set suid_audit_rules fact ansible.builtin.set_fact: suid_audit_rules: - rule: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - rule: -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ when: - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86368-8 - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions ansible.builtin.lineinfile: path: /etc/audit/rules.d/user_emulation.rules line: '{{ item.rule }}' regexp: '{{ item.regex }}' create: true when: - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - '"auditd.service" in ansible_facts.services' - '"augenrules" in check_rules_scripts_result.stdout' register: augenrules_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - CCE-86368-8 - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Update Update /etc/audit/audit.rules to audit privileged functions ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: '{{ item.rule }}' regexp: '{{ item.regex }}' create: true when: - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - '"auditd.service" in ansible_facts.services' - '"auditctl" in check_rules_scripts_result.stdout' register: auditctl_audit_rules_privilege_function_update_result with_items: '{{ suid_audit_rules }}' tags: - CCE-86368-8 - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Restart Auditd ansible.builtin.command: /usr/sbin/service auditd restart when: - audit_rules_suid_auid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) - ansible_facts.services["auditd.service"].state == "running" tags: - CCE-86368-8 - audit_rules_suid_auid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/sudoers -p wa -k actions state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key actions ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)actions$ patterns: '*.rules' register: find_watch_key when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/actions.rules when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sudoers -p wa -k actions create: true mode: '0600' when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/sudoers.d/ -p wa -k actions state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key actions ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)actions$ patterns: '*.rules' register: find_watch_key when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/actions.rules when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/sudoers.d/ -p wa -k actions create: true mode: '0600' when: - audit_rules_sysadmin_actions | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83729-4 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(7)(b) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83722-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' register: find_watch_key when: - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/group -p wa -k audit_rules_usergroup_modification create: true mode: '0600' when: - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83722-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83722-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/group -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83722-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83723-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' register: find_watch_key when: - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification create: true mode: '0600' when: - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83723-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83723-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83723-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Check if watch rule for /etc/nsswitch.conf already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/nsswitch.conf\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' register: find_watch_key when: - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Add watch rule for /etc/nsswitch.conf in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/nsswitch.conf -p wa -k audit_rules_usergroup_modification create: true mode: '0600' when: - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Check if watch rule for /etc/nsswitch.conf already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/nsswitch.conf\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Add watch rule for /etc/nsswitch.conf in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/nsswitch.conf -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_usergroup_modification_nsswitch_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86213-6 - audit_rules_usergroup_modification_nsswitch_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83712-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' register: find_watch_key when: - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification create: true mode: '0600' when: - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83712-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83712-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83712-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_opasswd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.conf - Check if watch rule for /etc/pam.conf already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/pam.conf\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.conf - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' register: find_watch_key when: - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.conf - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.conf - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.conf - Add watch rule for /etc/pam.conf in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification create: true mode: '0600' when: - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.conf - Check if watch rule for /etc/pam.conf already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/pam.conf\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.conf - Add watch rule for /etc/pam.conf in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_usergroup_modification_pam_conf | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86212-8 - audit_rules_usergroup_modification_pam_conf - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.d/ - Check if watch rule for /etc/pam.d/ already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/pam.d/\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_usergroup_modification_pamd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.d/ - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' register: find_watch_key when: - audit_rules_usergroup_modification_pamd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.d/ - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: - audit_rules_usergroup_modification_pamd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.d/ - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_usergroup_modification_pamd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.d/ - Add watch rule for /etc/pam.d/ in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/pam.d/ -p wa -k audit_rules_usergroup_modification create: true mode: '0600' when: - audit_rules_usergroup_modification_pamd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.d/ - Check if watch rule for /etc/pam.d/ already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/pam.d/\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_usergroup_modification_pamd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/pam.d/ - Add watch rule for /etc/pam.d/ in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/pam.d/ -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_usergroup_modification_pamd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86211-0 - audit_rules_usergroup_modification_pamd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83714-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification_passwd ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification_passwd$ patterns: '*.rules' register: find_watch_key when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Use /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd create: true mode: '0600' when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83714-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83714-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83714-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83725-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Search /etc/audit/rules.d for other rules with specified key audit_rules_usergroup_modification ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$ patterns: '*.rules' register: find_watch_key when: - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification create: true mode: '0600' when: - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83725-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83725-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83725-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.5 - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_sudo_log_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to perform maintenance activities - Search /etc/audit/rules.d for other rules with specified key maintenance ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)maintenance$ patterns: '*.rules' register: find_watch_key when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_sudo_log_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to perform maintenance activities - Use /etc/audit/rules.d/maintenance.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/maintenance.rules when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_sudo_log_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to perform maintenance activities - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_sudo_log_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/sudo.log -p wa -k maintenance create: true mode: '0600' when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_sudo_log_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_sudo_log_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /var/log/sudo.log -p wa -k maintenance state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_sudo_log_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_sudo_log_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set the file_groupownership_audit_configuration_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupownership_audit_configuration_newgroup: '0' when: - DISA_STIG_RHEL_09_232104 | bool - configure_strategy | bool - file_groupownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 - configure_strategy - file_groupownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232104 | bool - configure_strategy | bool - file_groupownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 - configure_strategy - file_groupownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ ansible.builtin.file: path: '{{ item }}' follow: false group: '{{ file_groupownership_audit_configuration_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232104 | bool - configure_strategy | bool - file_groupownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 - configure_strategy - file_groupownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232104 | bool - configure_strategy | bool - file_groupownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 - configure_strategy - file_groupownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ ansible.builtin.file: path: '{{ item }}' follow: false group: '{{ file_groupownership_audit_configuration_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232104 | bool - configure_strategy | bool - file_groupownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86446-2 - DISA-STIG-RHEL-09-232104 - configure_strategy - file_groupownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_ownership_audit_configuration_newown variable if represented by uid ansible.builtin.set_fact: file_ownership_audit_configuration_newown: '0' when: - DISA_STIG_RHEL_09_232103 | bool - configure_strategy | bool - file_ownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 - configure_strategy - file_ownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232103 | bool - configure_strategy | bool - file_ownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 - configure_strategy - file_ownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$ ansible.builtin.file: path: '{{ item }}' follow: false owner: '{{ file_ownership_audit_configuration_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232103 | bool - configure_strategy | bool - file_ownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 - configure_strategy - file_ownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$ ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_232103 | bool - configure_strategy | bool - file_ownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 - configure_strategy - file_ownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$ ansible.builtin.file: path: '{{ item }}' follow: false owner: '{{ file_ownership_audit_configuration_newown }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_232103 | bool - configure_strategy | bool - file_ownership_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-86445-4 - DISA-STIG-RHEL-09-232103 - configure_strategy - file_ownership_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/audit/ file(s) ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$" register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_653110 | bool - configure_strategy | bool - file_permissions_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 - NIST-800-53-AU-12 b - configure_strategy - file_permissions_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/audit/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xws,o-xwrt state: file with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_653110 | bool - configure_strategy | bool - file_permissions_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 - NIST-800-53-AU-12 b - configure_strategy - file_permissions_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/audit/rules.d/ file(s) ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex "^.*\.rules$" register: files_found changed_when: false failed_when: false check_mode: false when: - DISA_STIG_RHEL_09_653110 | bool - configure_strategy | bool - file_permissions_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 - NIST-800-53-AU-12 b - configure_strategy - file_permissions_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set permissions for /etc/audit/rules.d/ file(s) ansible.builtin.file: path: '{{ item }}' mode: u-xs,g-xws,o-xwrt state: file with_items: - '{{ files_found.stdout_lines }}' when: - DISA_STIG_RHEL_09_653110 | bool - configure_strategy | bool - file_permissions_audit_configuration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-88002-1 - DISA-STIG-RHEL-09-653110 - NIST-800-53-AU-12 b - configure_strategy - file_permissions_audit_configuration - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Get audit log files ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf failed_when: false changed_when: false check_mode: false register: log_file_exists when: - DISA_STIG_RHEL_09_653090 | bool - file_permissions_var_log_audit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83720-3 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653090 - NIST-800-171-3.3.1 - NIST-800-53-AC-6(1) - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Parse log file line ansible.builtin.command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf register: log_file_line changed_when: false check_mode: false when: - DISA_STIG_RHEL_09_653090 | bool - file_permissions_var_log_audit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - log_file_exists is not skipped and (log_file_exists.stdout | length > 0) tags: - CCE-83720-3 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653090 - NIST-800-171-3.3.1 - NIST-800-53-AC-6(1) - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set default log_file if not set ansible.builtin.set_fact: log_file: /var/log/audit/audit.log when: - DISA_STIG_RHEL_09_653090 | bool - file_permissions_var_log_audit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - (log_file_exists is skipped) or (log_file_exists is undefined) or (log_file_exists.stdout | length == 0) tags: - CCE-83720-3 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653090 - NIST-800-171-3.3.1 - NIST-800-53-AC-6(1) - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set log_file from log_file_line if not set already ansible.builtin.set_fact: log_file: '{{ log_file_line.stdout | trim }}' when: - DISA_STIG_RHEL_09_653090 | bool - file_permissions_var_log_audit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - (log_file_exists is not skipped) and (log_file_line.stdout is defined) and (log_file_line.stdout | length > 0) tags: - CCE-83720-3 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653090 - NIST-800-171-3.3.1 - NIST-800-53-AC-6(1) - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Apply mode to log file ansible.builtin.file: path: '{{ log_file }}' mode: 384 failed_when: false when: - DISA_STIG_RHEL_09_653090 | bool - file_permissions_var_log_audit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83720-3 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653090 - NIST-800-171-3.3.1 - NIST-800-53-AC-6(1) - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set architecture for audit chmod tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_chmod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83830-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for chmod for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_chmod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83830-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for chmod for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of chmod in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_chmod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83830-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit chown tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_chown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83812-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for chown for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of chown in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of chown in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_chown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83812-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for chown for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of chown in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - chown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of chown in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_chown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83812-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit fchmod tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83832-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchmod for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83832-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchmod for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmod syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmod in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83832-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit fchmodat tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83822-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchmodat for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83822-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchmodat for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchmodat syscall_grouping: - chmod - fchmod - fchmodat - name: Check existence of fchmodat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83822-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit fchown tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83829-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchown for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchown in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchown in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83829-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchown for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchown in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchown in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83829-2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit fchownat tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchownat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83831-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchownat for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchownat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchownat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchownat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83831-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fchownat for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchownat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fchownat syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of fchownat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchownat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83831-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit fremovexattr tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83821-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fremovexattr for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83821-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fremovexattr for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83821-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit fsetxattr tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83817-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fsetxattr for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83817-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for fsetxattr for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - fsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of fsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83817-7 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit lchown tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_lchown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83833-4 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for lchown for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of lchown in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of lchown in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_lchown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83833-4 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for lchown for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of lchown in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lchown syscall_grouping: - chown - fchown - fchownat - lchown - name: Check existence of lchown in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_lchown | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83833-4 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit lremovexattr tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83814-4 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for lremovexattr for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83814-4 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for lremovexattr for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lremovexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lremovexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83814-4 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit lsetxattr tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83808-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for lsetxattr for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83808-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for lsetxattr for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - lsetxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of lsetxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83808-6 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit removexattr tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_removexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83807-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for removexattr for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_removexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83807-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for removexattr for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - removexattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of removexattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_removexattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83807-8 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit setxattr tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_setxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83811-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for setxattr for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_setxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83811-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for setxattr for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - setxattr syscall_grouping: - fremovexattr - lremovexattr - removexattr - fsetxattr - lsetxattr - setxattr - name: Check existence of setxattr in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_setxattr | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83811-0 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - PCI-DSSv4-10.3 - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Record Any Attempts to Run chacl - Perform remediation of Audit rules for /usr/bin/chacl block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654035 | bool - audit_rules_execution_chacl | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-87685-4 - DISA-STIG-RHEL-09-654035 - audit_rules_execution_chacl - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Any Attempts to Run setfacl - Perform remediation of Audit rules for /usr/bin/setfacl block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654040 | bool - audit_rules_execution_setfacl | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-90482-1 - DISA-STIG-RHEL-09-654040 - audit_rules_execution_setfacl - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Any Attempts to Run chcon - Perform remediation of Audit rules for /usr/bin/chcon block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654045 | bool - audit_rules_execution_chcon | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83748-4 - DISA-STIG-RHEL-09-654045 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - audit_rules_execution_chcon - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set architecture for audit rename tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rename | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83754-2 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for rename for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - rename syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of rename in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - rename syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of rename in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rename | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83754-2 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for rename for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - rename syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of rename in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - rename syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of rename in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rename | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83754-2 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit renameat tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_renameat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83756-7 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for renameat for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_renameat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83756-7 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for renameat for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - renameat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of renameat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_renameat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83756-7 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit unlink tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlink | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83757-5 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for unlink for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlink | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83757-5 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for unlink for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlink syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlink in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlink | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83757-5 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit unlinkat tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlinkat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83755-9 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for unlinkat for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlinkat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83755-9 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for unlinkat for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - unlinkat syscall_grouping: - unlink - unlinkat - rename - renameat - renameat2 - rmdir - name: Check existence of unlinkat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlinkat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83755-9 - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.7 - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit creat tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83786-4 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for creat EACCES for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83786-4 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for creat EACCES for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83786-4 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for creat EPERM for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83786-4 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for creat EPERM for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - creat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of creat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83786-4 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit ftruncate tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83800-3 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for ftruncate EACCES for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83800-3 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for ftruncate EACCES for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83800-3 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for ftruncate EPERM for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83800-3 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for ftruncate EPERM for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - ftruncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of ftruncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83800-3 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit open tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83801-1 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for open EACCES for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83801-1 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for open EACCES for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83801-1 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for open EPERM for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-83801-1 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for open EPERM for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - open syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of open in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-83801-1 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit openat tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83794-8 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for openat EACCES for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83794-8 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for openat EACCES for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83794-8 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for openat EPERM for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83794-8 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for openat EPERM for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - openat syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of openat in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83794-8 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Set architecture for audit truncate tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83792-2 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for truncate EACCES for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83792-2 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for truncate EACCES for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83792-2 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for truncate EPERM for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83792-2 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Perform remediation of Audit rules for truncate EPERM for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/access.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - truncate syscall_grouping: - creat - ftruncate - truncate - open - openat - open_by_handle_at - name: Check existence of truncate in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83792-2 - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Set architecture for audit ['create_module'] tasks ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_kernel_module_loading_create | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-88436-1 - audit_rules_kernel_module_loading_create - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Perform remediation of Audit rules for ['create_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of create_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of create_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_kernel_module_loading_create | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-88436-1 - audit_rules_kernel_module_loading_create - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Perform remediation of Audit rules for ['create_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of create_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - create_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of create_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_kernel_module_loading_create | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-88436-1 - audit_rules_kernel_module_loading_create - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Set architecture for audit ['delete_module'] tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654075 | bool - audit_rules_kernel_module_loading_delete | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83802-9 - DISA-STIG-RHEL-09-654075 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Perform remediation of Audit rules for ['delete_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of delete_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of delete_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654075 | bool - audit_rules_kernel_module_loading_delete | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83802-9 - DISA-STIG-RHEL-09-654075 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Perform remediation of Audit rules for ['delete_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of delete_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - delete_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of delete_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654075 | bool - audit_rules_kernel_module_loading_delete | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83802-9 - DISA-STIG-RHEL-09-654075 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Set architecture for audit ['finit_module'] tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_finit | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83803-7 - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Perform remediation of Audit rules for ['finit_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of finit_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of finit_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_finit | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83803-7 - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Perform remediation of Audit rules for ['finit_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of finit_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - finit_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of finit_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_finit | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83803-7 - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Set architecture for audit ['init_module'] tasks ansible.builtin.set_fact: audit_arch: b64 when: - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_init | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-90835-0 - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Perform remediation of Audit rules for ['init_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of init_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of init_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_init | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-90835-0 - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Perform remediation of Audit rules for ['init_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of init_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - init_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of init_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_init | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-90835-0 - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Set architecture for audit ['query_module'] tasks ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_kernel_module_loading_query | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-88749-7 - audit_rules_kernel_module_loading_query - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Perform remediation of Audit rules for ['query_module'] for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_kernel_module_loading_query | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) tags: - CCE-88749-7 - audit_rules_kernel_module_loading_query - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Perform remediation of Audit rules for ['query_module'] for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - query_module syscall_grouping: - create_module - delete_module - finit_module - init_module - query_module - name: Check existence of query_module in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_kernel_module_loading_query | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-88749-7 - audit_rules_kernel_module_loading_query - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - faillock - Search /etc/audit/rules.d for other rules with specified key logins ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)logins$ patterns: '*.rules' register: find_watch_key when: - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - faillock - Use /etc/audit/rules.d/logins.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/logins.rules when: - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - faillock - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins create: true mode: '0600' when: - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83783-1 - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Search /etc/audit/rules.d for other rules with specified key logins ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)logins$ patterns: '*.rules' register: find_watch_key when: - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Use /etc/audit/rules.d/logins.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/logins.rules when: - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /var/log/lastlog -p wa -k logins create: true mode: '0600' when: - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /var/log/lastlog -p wa -k logins state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83785-6 - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 - PCI-DSSv4-10.2 - PCI-DSSv4-10.2.1 - PCI-DSSv4-10.2.1.3 - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects Information on the Use of Privileged Commands - Set List of Mount Points Which Permits Execution of Privileged Commands ansible.builtin.set_fact: privileged_mount_points: '{{ (ansible_facts.mounts | rejectattr(''options'', ''search'', ''noexec|nosuid'') | rejectattr(''mount'', ''match'', ''/proc($|/.*$)'') | map(attribute=''mount'') | list ) }}' when: - audit_rules_privileged_commands | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83759-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - audit_rules_privileged_commands - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search for Privileged Commands in Eligible Mount Points ansible.builtin.shell: cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null register: result_privileged_commands_search changed_when: false failed_when: false with_items: '{{ privileged_mount_points }}' when: - audit_rules_privileged_commands | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83759-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - audit_rules_privileged_commands - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on the Use of Privileged Commands - Set List of Privileged Commands Found in Eligible Mount Points ansible.builtin.set_fact: privileged_commands: '{{ privileged_commands | default([]) + item.stdout_lines }}' loop: '{{ result_privileged_commands_search.results }}' when: - audit_rules_privileged_commands | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - item is not skipped tags: - CCE-83759-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - audit_rules_privileged_commands - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged Commands are Present in the System block: - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for All Privileged Commands in augenrules Format ansible.builtin.lineinfile: path: /etc/audit/rules.d/privileged.rules line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged regexp: ^.*path={{ item | regex_escape() }} .*$ create: true with_items: - '{{ privileged_commands }}' - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for All Privileged Commands in auditctl Format ansible.builtin.lineinfile: path: /etc/audit/audit.rules line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged regexp: ^.*path={{ item | regex_escape() }} .*$ create: true with_items: - '{{ privileged_commands }}' - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search for Duplicated Rules in Other Files ansible.builtin.find: paths: /etc/audit/rules.d recurse: false contains: ^-a always,exit -F path={{ item }} .*$ patterns: '*.rules' with_items: - '{{ privileged_commands }}' register: result_augenrules_files - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for Privileged Commands are Defined Only in One File ansible.builtin.lineinfile: path: '{{ item.1.path }}' regexp: ^-a always,exit -F path={{ item.0.item }} .*$ state: absent with_subelements: - '{{ result_augenrules_files.results }}' - files when: - item.1.path != '/etc/audit/rules.d/privileged.rules' when: - audit_rules_privileged_commands | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - privileged_commands is defined tags: - CCE-83759-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - audit_rules_privileged_commands - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure auditd Collects Information on the Use of Privileged Commands - kmod - Perform remediation of Audit rules for /usr/bin/kmod block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654105 | bool - audit_rules_privileged_commands_kmod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-90262-7 - DISA-STIG-RHEL-09-654105 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12.1(ii) - NIST-800-53-AU-12.1(iv)AU-12(c) - NIST-800-53-AU-3 - NIST-800-53-AU-3.1 - NIST-800-53-MA-4(1)(a) - audit_rules_privileged_commands_kmod - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure auditd Collects Information on the Use of Privileged Commands - usermod - Perform remediation of Audit rules for /usr/sbin/usermod block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: [] syscall_grouping: [] - name: Check existence of in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - DISA_STIG_RHEL_09_654175 | bool - audit_rules_privileged_commands_usermod | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-87212-7 - DISA-STIG-RHEL-09-654175 - audit_rules_privileged_commands_usermod - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set architecture for audit tasks ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_time_adjtimex | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83840-9 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Perform remediation of Audit rules for adjtimex for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: - adjtimex - settimeofday - stime - name: Check existence of adjtimex in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: - adjtimex - settimeofday - stime - name: Check existence of adjtimex in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_time_adjtimex | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83840-9 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Perform remediation of Audit rules for adjtimex for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: - adjtimex - settimeofday - name: Check existence of adjtimex in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - adjtimex syscall_grouping: - adjtimex - settimeofday - stime - name: Check existence of adjtimex in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_time_adjtimex | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83840-9 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set architecture for audit tasks ansible.builtin.set_fact: audit_arch: b64 when: - audit_rules_time_clock_settime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83837-5 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Perform remediation of Audit rules for clock_settime for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_time_clock_settime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83837-5 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Perform remediation of Audit rules for clock_settime for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - clock_settime syscall_grouping: [] - name: Check existence of clock_settime in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_time_clock_settime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83837-5 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set architecture for audit tasks set_fact: audit_arch: b64 when: - audit_rules_time_settimeofday | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83836-7 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Perform remediation of Audit rules for settimeofday for 32bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: - adjtimex - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: - adjtimex - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_time_settimeofday | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83836-7 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Perform remediation of Audit rules for settimeofday for 64bit platform block: - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: - adjtimex - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: '*.rules' register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Reset syscalls found per file ansible.builtin.set_fact: syscalls_per_file: {} found_paths_dict: {} - name: Declare syscalls found per file ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}" loop: '{{ find_command.results | selectattr(''matched'') | list }}' - name: Declare files where syscalls were found ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path') | list }}" - name: Count occurrences of syscalls in paths ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}" loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}' - name: Get path with most syscalls ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}" when: found_paths | length >= 1 - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules" when: found_paths | length == 0 - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 - name: Declare list of syscalls ansible.builtin.set_fact: syscalls: - settimeofday syscall_grouping: - adjtimex - settimeofday - stime - name: Check existence of settimeofday in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$ patterns: audit.rules register: find_command loop: '{{ (syscall_grouping + syscalls) | unique }}' - name: Set path to /etc/audit/audit.rules ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules" - name: Declare found syscalls ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list }}" - name: Declare missing syscalls ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}" - name: Replace the audit rule in {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+) line: \1\2\3{{ missing_syscalls | join("\3") }}\4 backrefs: true state: present mode: g-rwx,o-rwx when: syscalls_found | length > 0 and missing_syscalls | length > 0 - name: Add the audit rule to {{ audit_file }} ansible.builtin.lineinfile: path: '{{ audit_file }}' line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules create: true mode: g-rwx,o-rwx state: present when: syscalls_found | length == 0 when: - audit_rules_time_settimeofday | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - audit_arch == "b64" tags: - CCE-83836-7 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ ansible.builtin.find: paths: /etc/audit/rules.d contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_time_watch_localtime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83839-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter the localtime File - Search /etc/audit/rules.d for other rules with specified key audit_time_rules ansible.builtin.find: paths: /etc/audit/rules.d contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ patterns: '*.rules' register: find_watch_key when: - audit_rules_time_watch_localtime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter the localtime File - Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule ansible.builtin.set_fact: all_files: - /etc/audit/rules.d/audit_time_rules.rules when: - audit_rules_time_watch_localtime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter the localtime File - Use matched file as the recipient for the rule ansible.builtin.set_fact: all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_time_watch_localtime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/rules.d/ ansible.builtin.lineinfile: path: '{{ all_files[0] }}' line: -w /etc/localtime -p wa -k audit_time_rules create: true mode: '0600' when: - audit_rules_time_watch_localtime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83839-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules ansible.builtin.find: paths: /etc/audit/ contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_time_watch_localtime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83839-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/audit.rules ansible.builtin.lineinfile: line: -w /etc/localtime -p wa -k audit_time_rules state: present dest: /etc/audit/audit.rules create: true mode: '0600' when: - audit_rules_time_watch_localtime | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83839-1 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b - PCI-DSSv4-10.6 - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure auditd Disk Error Action on Disk Error ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: disk_error_action = {{ var_auditd_disk_error_action.split('|')[0] }} regexp: ^\s*disk_error_action\s*=\s*.*$ state: present create: true when: - auditd_data_disk_error_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83690-8 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(2) - NIST-800-53-AU-5(4) - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - auditd_data_disk_error_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure auditd Disk Full Action when Disk Space Is Full ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: disk_full_action = {{ var_auditd_disk_full_action.split('|')[0] }} regexp: ^\s*disk_full_action\s*=\s*.*$ state: present create: true when: - auditd_data_disk_full_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83684-1 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(2) - NIST-800-53-AU-5(4) - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - auditd_data_disk_full_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure auditd mail_acct Action on Low Disk Space - Configure auditd mail_acct Action on Low Disk Space ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf regexp: ^action_mail_acct line: action_mail_acct = {{ var_auditd_action_mail_acct }} state: present create: true when: - DISA_STIG_RHEL_09_653070 | bool - auditd_data_retention_action_mail_acct | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83698-1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653070 - NIST-800-171-3.3.1 - NIST-800-53-AU-5(2) - NIST-800-53-AU-5(a) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1) - PCI-DSS-Req-10.7.a - auditd_data_retention_action_mail_acct - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure auditd admin_space_left Action on Low Disk Space ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: admin_space_left_action = {{ var_auditd_admin_space_left_action .split('|')[0] }} regexp: ^\s*admin_space_left_action\s*=\s*.*$ state: present create: true when: - DISA_STIG_RHEL_09_653050 | bool - auditd_data_retention_admin_space_left_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83700-5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653050 - NIST-800-171-3.3.1 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(2) - NIST-800-53-AU-5(4) - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - PCI-DSSv4-10.5 - PCI-DSSv4-10.5.1 - auditd_data_retention_admin_space_left_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure auditd Max Log File Size ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf regexp: ^\s*max_log_file\s*=\s*.*$ line: max_log_file = {{ var_auditd_max_log_file }} state: present create: true when: - auditd_data_retention_max_log_file | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83683-3 - CJIS-5.4.1.1 - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - auditd_data_retention_max_log_file - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: max_log_file_action = {{ var_auditd_max_log_file_action }} regexp: ^\s*max_log_file_action\s*=\s*.*$ state: present create: true when: - auditd_data_retention_max_log_file_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83701-3 - CJIS-5.4.1.1 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(2) - NIST-800-53-AU-5(4) - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - auditd_data_retention_max_log_file_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure auditd space_left Action on Low Disk Space ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf line: space_left_action = {{ var_auditd_space_left_action.split('|')[0] }} regexp: ^\s*space_left_action\s*=\s*.*$ state: present create: true when: - DISA_STIG_RHEL_09_653040 | bool - auditd_data_retention_space_left_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - '"audit" in ansible_facts.packages' - '"kernel-core" in ansible_facts.packages' tags: - CCE-83703-9 - CJIS-5.4.1.1 - DISA-STIG-RHEL-09-653040 - NIST-800-171-3.3.1 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(2) - NIST-800-53-AU-5(4) - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - PCI-DSSv4-10.5 - PCI-DSSv4-10.5.1 - auditd_data_retention_space_left_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set the file_groupownership_audit_binaries_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupownership_audit_binaries_newgroup: '0' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/auditctl ansible.builtin.stat: path: /sbin/auditctl register: file_exists when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /sbin/auditctl ansible.builtin.file: path: /sbin/auditctl follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/aureport ansible.builtin.stat: path: /sbin/aureport register: file_exists when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /sbin/aureport ansible.builtin.file: path: /sbin/aureport follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/ausearch ansible.builtin.stat: path: /sbin/ausearch register: file_exists when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /sbin/ausearch ansible.builtin.file: path: /sbin/ausearch follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/autrace ansible.builtin.stat: path: /sbin/autrace register: file_exists when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /sbin/autrace ansible.builtin.file: path: /sbin/autrace follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/auditd ansible.builtin.stat: path: /sbin/auditd register: file_exists when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /sbin/auditd ansible.builtin.file: path: /sbin/auditd follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/augenrules ansible.builtin.stat: path: /sbin/augenrules register: file_exists when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /sbin/augenrules ansible.builtin.file: path: /sbin/augenrules follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/audisp-syslog ansible.builtin.stat: path: /sbin/audisp-syslog register: file_exists when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /sbin/audisp-syslog ansible.builtin.file: path: /sbin/audisp-syslog follow: false group: '{{ file_groupownership_audit_binaries_newgroup }}' when: - configure_strategy | bool - file_groupownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86457-9 - configure_strategy - file_groupownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_ownership_audit_binaries_newown variable if represented by uid ansible.builtin.set_fact: file_ownership_audit_binaries_newown: '0' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/auditctl ansible.builtin.stat: path: /sbin/auditctl register: file_exists when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /sbin/auditctl ansible.builtin.file: path: /sbin/auditctl follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/aureport ansible.builtin.stat: path: /sbin/aureport register: file_exists when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /sbin/aureport ansible.builtin.file: path: /sbin/aureport follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/ausearch ansible.builtin.stat: path: /sbin/ausearch register: file_exists when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /sbin/ausearch ansible.builtin.file: path: /sbin/ausearch follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/autrace ansible.builtin.stat: path: /sbin/autrace register: file_exists when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /sbin/autrace ansible.builtin.file: path: /sbin/autrace follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/auditd ansible.builtin.stat: path: /sbin/auditd register: file_exists when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /sbin/auditd ansible.builtin.file: path: /sbin/auditd follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/augenrules ansible.builtin.stat: path: /sbin/augenrules register: file_exists when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /sbin/augenrules ansible.builtin.file: path: /sbin/augenrules follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/audisp-syslog ansible.builtin.stat: path: /sbin/audisp-syslog register: file_exists when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure owner on /sbin/audisp-syslog ansible.builtin.file: path: /sbin/audisp-syslog follow: false owner: '{{ file_ownership_audit_binaries_newown }}' when: - configure_strategy | bool - file_ownership_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86454-6 - configure_strategy - file_ownership_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/auditctl ansible.builtin.stat: path: /sbin/auditctl register: file_exists when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/auditctl ansible.builtin.file: path: /sbin/auditctl mode: u-s,g-ws,o-wt when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/aureport ansible.builtin.stat: path: /sbin/aureport register: file_exists when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/aureport ansible.builtin.file: path: /sbin/aureport mode: u-s,g-ws,o-wt when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/ausearch ansible.builtin.stat: path: /sbin/ausearch register: file_exists when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/ausearch ansible.builtin.file: path: /sbin/ausearch mode: u-s,g-ws,o-wt when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/autrace ansible.builtin.stat: path: /sbin/autrace register: file_exists when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/autrace ansible.builtin.file: path: /sbin/autrace mode: u-s,g-ws,o-wt when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/auditd ansible.builtin.stat: path: /sbin/auditd register: file_exists when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/auditd ansible.builtin.file: path: /sbin/auditd mode: u-s,g-ws,o-wt when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/augenrules ansible.builtin.stat: path: /sbin/augenrules register: file_exists when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/augenrules ansible.builtin.file: path: /sbin/augenrules mode: u-s,g-ws,o-wt when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Test for existence /sbin/audisp-syslog ansible.builtin.stat: path: /sbin/audisp-syslog register: file_exists when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure permission u-s,g-ws,o-wt on /sbin/audisp-syslog ansible.builtin.file: path: /sbin/audisp-syslog mode: u-s,g-ws,o-wt when: - configure_strategy | bool - file_permissions_audit_binaries | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - '"kernel-core" in ansible_facts.packages' - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-86448-8 - configure_strategy - file_permissions_audit_binaries - low_complexity - low_disruption - medium_severity - no_reboot_needed