ansible-towers/ansible-role-rhel9-cis
1
0
Fork 0
mirror of https://github.com/RedHatOfficial/ansible-role-rhel9-cis.git synced 2026-02-10 01:12:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
b9706a1c78af734f27bdb72b24c543275dba0794
ansible-role-rhel9-cis/tasks/main.yml
ComplianceAsCode development team b9706a1c78 Updated tasks/main.yml
2025-12-12 11:56:49 -05:00

50221 lines
1.6 MiB
Raw Blame History

- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: Ensure aide is installed
ansible.builtin.package:
name: aide
state: present
when:
- DISA_STIG_RHEL_09_651010 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_aide_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90843-4
- CJIS-5.10.1.3
- DISA-STIG-RHEL-09-651010
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_aide_installed
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- aide
when:
- DISA_STIG_RHEL_09_651010 | bool
- aide_build_database | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83438-2
- CJIS-5.10.1.3
- DISA-STIG-RHEL-09-651010
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure aide is installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- aide
when:
- DISA_STIG_RHEL_09_651025 | bool
- aide_check_audit_tools | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87757-1
- DISA-STIG-RHEL-09-651025
- NIST-800-53-AU-9(3)
- NIST-800-53-AU-9(3).1
- aide_check_audit_tools
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure AIDE is installed
ansible.builtin.package:
name: aide
state: present
when:
- aide_periodic_cron_checking | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83437-4
- CJIS-5.10.1.3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_periodic_cron_checking
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Install cron
ansible.builtin.package:
name: cronie
state: present
when:
- aide_periodic_cron_checking | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83437-4
- CJIS-5.10.1.3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_periodic_cron_checking
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: 'Remove the GDM Package Group: Ensure gdm is removed'
ansible.builtin.package:
name: gdm
state: absent
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_gdm_removed | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-83549-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_gdm_removed
- name: Ensure sudo is installed
ansible.builtin.package:
name: sudo
state: present
when:
- DISA_STIG_RHEL_09_432010 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_sudo_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83523-1
- DISA-STIG-RHEL-09-432010
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sudo_installed
- name: Ensure libpwquality is installed
ansible.builtin.package:
name: libpwquality
state: present
when:
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_pam_pwquality_installed | bool
- '"pam" in ansible_facts.packages'
tags:
- CCE-86226-8
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_pam_pwquality_installed
- name: Ensure systemd-journal-remote is installed
ansible.builtin.package:
name: systemd-journal-remote
state: present
when:
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_systemd_journal_remote_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86760-6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_systemd-journal-remote_installed
- name: Ensure firewalld is installed
ansible.builtin.package:
name: firewalld
state: present
when:
- DISA_STIG_RHEL_09_251010 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_firewalld_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84021-5
- DISA-STIG-RHEL-09-251010
- NIST-800-53-CM-6(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_firewalld_installed
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Package is Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- firewalld
when:
- configure_strategy | bool
- firewalld_loopback_traffic_restricted | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86137-7
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_restricted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- firewalld
when:
- configure_strategy | bool
- firewalld_loopback_traffic_trusted | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86116-1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_trusted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure nftables is installed
ansible.builtin.package:
name: nftables
state: present
when:
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_nftables_installed | bool
- ( "kernel-core" in ansible_facts.packages )
tags:
- CCE-86378-7
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_nftables_installed
- name: Ensure NetworkManager is installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- NetworkManager
when:
- DISA_STIG_RHEL_09_291040 | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- wireless_disable_interfaces | bool
- ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-84066-0
- DISA-STIG-RHEL-09-291040
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(3)
- NIST-800-53-AC-18(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- PCI-DSS-Req-1.3.3
- PCI-DSSv4-1.3
- PCI-DSSv4-1.3.3
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- wireless_disable_interfaces
- name: Ensure libselinux is installed
ansible.builtin.package:
name: libselinux
state: present
when:
- enable_strategy | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_libselinux_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84069-4
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- enable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_libselinux_installed
- name: 'Uninstall mcstrans Package: Ensure mcstrans is removed'
ansible.builtin.package:
name: mcstrans
state: absent
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_mcstrans_removed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84072-8
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_mcstrans_removed
- name: 'Uninstall setroubleshoot Package: Ensure setroubleshoot is removed'
ansible.builtin.package:
name: setroubleshoot
state: absent
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_setroubleshoot_removed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84073-6
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_setroubleshoot_removed
- name: Ensure cronie is installed
ansible.builtin.package:
name: cronie
state: present
when:
- DISA_STIG_RHEL_09_232040 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_cron_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86170-8
- DISA-STIG-RHEL-09-232040
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_cron_installed
- name: 'Uninstall DHCP Server Package: Ensure dhcp-server is removed'
ansible.builtin.package:
name: dhcp-server
state: absent
tags:
- CCE-84240-1
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_dhcp_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_dhcp_removed | bool
- name: 'Uninstall dnsmasq Package: Ensure dnsmasq is removed'
ansible.builtin.package:
name: dnsmasq
state: absent
tags:
- CCE-86063-5
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_dnsmasq_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_dnsmasq_removed | bool
- name: 'Uninstall bind Package: Ensure bind is removed'
ansible.builtin.package:
name: bind
state: absent
tags:
- CCE-86505-5
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_bind_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_bind_removed | bool
- name: 'Uninstall bind Package: Ensure bind9.18 is removed'
ansible.builtin.package:
name: bind9.18
state: absent
tags:
- CCE-86505-5
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_bind_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_bind_removed | bool
- name: 'Remove ftp Package: Ensure ftp is removed'
ansible.builtin.package:
name: ftp
state: absent
tags:
- CCE-86075-9
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_ftp_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_ftp_removed | bool
- name: 'Uninstall vsftpd Package: Ensure vsftpd is removed'
ansible.builtin.package:
name: vsftpd
state: absent
tags:
- CCE-84159-3
- DISA-STIG-RHEL-09-215015
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-CM-7.1(ii)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(1).1(v)
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_vsftpd_removed
when:
- DISA_STIG_RHEL_09_215015 | bool
- disable_strategy | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_vsftpd_removed | bool
- name: 'Uninstall httpd Package: Ensure httpd is removed'
ansible.builtin.package:
name: httpd
state: absent
tags:
- CCE-85974-4
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_httpd_removed
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_httpd_removed | bool
- unknown_severity | bool
- name: 'Uninstall nginx Package: Ensure nginx is removed'
ansible.builtin.package:
name: nginx
state: absent
tags:
- CCE-88035-1
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_nginx_removed
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_nginx_removed | bool
- unknown_severity | bool
- name: 'Uninstall cyrus-imapd Package: Ensure cyrus-imapd is removed'
ansible.builtin.package:
name: cyrus-imapd
state: absent
tags:
- CCE-88120-1
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_cyrus-imapd_removed
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_cyrus_imapd_removed | bool
- unknown_severity | bool
- name: 'Uninstall dovecot Package: Ensure dovecot is removed'
ansible.builtin.package:
name: dovecot
state: absent
tags:
- CCE-85977-7
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_dovecot_removed
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_dovecot_removed | bool
- unknown_severity | bool
- name: 'Ensure LDAP client is not installed: Ensure openldap-clients is removed'
ansible.builtin.package:
name: openldap-clients
state: absent
tags:
- CCE-90831-9
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_openldap-clients_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_openldap_clients_removed | bool
- name: Ensure chrony is installed
ansible.builtin.package:
name: chrony
state: present
when:
- DISA_STIG_RHEL_09_252010 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_chrony_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84215-3
- DISA-STIG-RHEL-09-252010
- PCI-DSS-Req-10.4
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_chrony_installed
- name: 'Uninstall rsync Package: Ensure rsync-daemon is removed'
ansible.builtin.package:
name: rsync-daemon
state: absent
tags:
- CCE-86336-5
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_rsync_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_rsync_removed | bool
- name: 'Uninstall telnet-server Package: Ensure telnet-server is removed'
ansible.builtin.package:
name: telnet-server
state: absent
tags:
- CCE-84149-4
- DISA-STIG-RHEL-09-215040
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.2
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_telnet-server_removed
when:
- DISA_STIG_RHEL_09_215040 | bool
- disable_strategy | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_telnet_server_removed | bool
- name: 'Remove telnet Clients: Ensure telnet is removed'
ansible.builtin.package:
name: telnet
state: absent
tags:
- CCE-84146-0
- NIST-800-171-3.1.13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_telnet_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_telnet_removed | bool
- name: 'Uninstall tftp-server Package: Ensure tftp-server is removed'
ansible.builtin.package:
name: tftp-server
state: absent
tags:
- CCE-84154-4
- DISA-STIG-RHEL-09-215060
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- package_tftp-server_removed
when:
- DISA_STIG_RHEL_09_215060 | bool
- disable_strategy | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_tftp_server_removed | bool
- name: 'Remove tftp Daemon: Ensure tftp is removed'
ansible.builtin.package:
name: tftp
state: absent
tags:
- CCE-84153-6
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_tftp_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- package_tftp_removed | bool
- name: 'Uninstall squid Package: Ensure squid is removed'
ansible.builtin.package:
name: squid
state: absent
tags:
- CCE-84238-5
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_squid_removed
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_squid_removed | bool
- unknown_severity | bool
- name: 'Uninstall Samba Package: Ensure samba is removed'
ansible.builtin.package:
name: samba
state: absent
tags:
- CCE-85979-3
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_samba_removed
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_samba_removed | bool
- unknown_severity | bool
- name: 'Uninstall net-snmp Package: Ensure net-snmp is removed'
ansible.builtin.package:
name: net-snmp
state: absent
tags:
- CCE-85981-9
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- package_net-snmp_removed
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- package_net_snmp_removed | bool
- unknown_severity | bool
- name: 'Remove the X Windows Package Group: Ensure xorg-x11-server-common is removed'
ansible.builtin.package:
name: xorg-x11-server-common
state: absent
tags:
- CCE-84104-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_xorg-x11-server-common_removed
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_xorg_x11_server_common_removed | bool
- name: Ensure audit-libs is installed
ansible.builtin.package:
name: audit-libs
state: present
when:
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_audit_libs_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86772-1
- NIST-800-53-AC-7(a)
- NIST-800-53-AU-12(2)
- NIST-800-53-AU-14
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-7(1)
- NIST-800-53-AU-7(2)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_audit-libs_installed
- name: Ensure audit is installed
ansible.builtin.package:
name: audit
state: present
when:
- DISA_STIG_RHEL_09_653010 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- package_audit_installed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83649-4
- DISA-STIG-RHEL-09-653010
- NIST-800-53-AC-7(a)
- NIST-800-53-AU-12(2)
- NIST-800-53-AU-14
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-7(1)
- NIST-800-53-AU-7(2)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_audit_installed
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: Enable systemd-journald Service - Enable service systemd-journald
block:
- name: Enable systemd-journald Service - Enable Service systemd-journald
ansible.builtin.systemd:
name: systemd-journald
enabled: true
state: started
masked: false
when:
- '"systemd" in ansible_facts.packages'
tags:
- CCE-85941-3
- DISA-STIG-RHEL-09-211040
- NIST-800-53-SC-24
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_systemd-journald_enabled
- special_service_block
when:
- DISA_STIG_RHEL_09_211040 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_systemd_journald_enabled | bool
- special_service_block | bool
- '"kernel-core" in ansible_facts.packages'
- name: Verify firewalld Enabled - Enable service firewalld
block:
- name: Verify firewalld Enabled - Enable Service firewalld
ansible.builtin.systemd:
name: firewalld
enabled: true
state: started
masked: false
when:
- '"firewalld" in ansible_facts.packages'
tags:
- CCE-90833-5
- DISA-STIG-RHEL-09-251015
- NIST-800-171-3.1.3
- NIST-800-171-3.4.7
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_firewalld_enabled
- special_service_block
when:
- DISA_STIG_RHEL_09_251015 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_firewalld_enabled | bool
- special_service_block | bool
- '"kernel-core" in ansible_facts.packages'
- '"firewalld" in ansible_facts.packages'
- name: Verify nftables Service is Disabled - Disable service nftables
block:
- name: Verify nftables Service is Disabled - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Verify nftables Service is Disabled - Ensure nftables.service is Masked
ansible.builtin.systemd:
name: nftables.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("nftables.service", multiline=True)
- name: Unit Socket Exists - nftables.socket
ansible.builtin.command: systemctl -q list-unit-files nftables.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Verify nftables Service is Disabled - Disable Socket nftables
ansible.builtin.systemd:
name: nftables.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("nftables.socket", multiline=True)
tags:
- CCE-88429-6
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_nftables_disabled
- special_service_block
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_nftables_disabled | bool
- special_service_block | bool
- ( "firewalld" in ansible_facts.packages and "nftables" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
)
- name: Disable Bluetooth Service - Disable service bluetooth
block:
- name: Disable Bluetooth Service - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable Bluetooth Service - Ensure bluetooth.service is Masked
ansible.builtin.systemd:
name: bluetooth.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("bluetooth.service", multiline=True)
- name: Unit Socket Exists - bluetooth.socket
ansible.builtin.command: systemctl -q list-unit-files bluetooth.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable Bluetooth Service - Disable Socket bluetooth
ansible.builtin.systemd:
name: bluetooth.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("bluetooth.socket", multiline=True)
tags:
- CCE-86761-4
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(3)
- NIST-800-53-AC-18(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_bluetooth_disabled
- special_service_block
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_bluetooth_disabled | bool
- special_service_block | bool
- '"kernel-core" in ansible_facts.packages'
- name: Disable the Automounter - Disable service autofs
block:
- name: Disable the Automounter - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable the Automounter - Ensure autofs.service is Masked
ansible.builtin.systemd:
name: autofs.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("autofs.service", multiline=True)
- name: Unit Socket Exists - autofs.socket
ansible.builtin.command: systemctl -q list-unit-files autofs.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable the Automounter - Disable Socket autofs
ansible.builtin.systemd:
name: autofs.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("autofs.socket", multiline=True)
tags:
- CCE-83850-8
- DISA-STIG-RHEL-09-231040
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_autofs_disabled
- special_service_block
when:
- DISA_STIG_RHEL_09_231040 | bool
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_autofs_disabled | bool
- special_service_block | bool
- ( "autofs" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- name: Disable Avahi Server Software - Disable service avahi-daemon
block:
- name: Disable Avahi Server Software - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable Avahi Server Software - Ensure avahi-daemon.service is Masked
ansible.builtin.systemd:
name: avahi-daemon.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("avahi-daemon.service", multiline=True)
- name: Unit Socket Exists - avahi-daemon.socket
ansible.builtin.command: systemctl -q list-unit-files avahi-daemon.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable Avahi Server Software - Disable Socket avahi-daemon
ansible.builtin.systemd:
name: avahi-daemon.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("avahi-daemon.socket", multiline=True)
tags:
- CCE-90824-4
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_avahi-daemon_disabled
- special_service_block
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_avahi_daemon_disabled | bool
- special_service_block | bool
- ( "avahi" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- name: Enable cron Service - Enable service crond
block:
- name: Enable cron Service - Enable Service crond
ansible.builtin.systemd:
name: crond
enabled: true
state: started
masked: false
when:
- '"cronie" in ansible_facts.packages'
tags:
- CCE-84163-5
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_crond_enabled
- special_service_block
when:
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_crond_enabled | bool
- special_service_block | bool
- '"kernel-core" in ansible_facts.packages'
- name: Disable rpcbind Service - Disable service rpcbind
block:
- name: Disable rpcbind Service - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable rpcbind Service - Ensure rpcbind.service is Masked
ansible.builtin.systemd:
name: rpcbind.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("rpcbind.service", multiline=True)
- name: Unit Socket Exists - rpcbind.socket
ansible.builtin.command: systemctl -q list-unit-files rpcbind.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable rpcbind Service - Disable Socket rpcbind
ansible.builtin.systemd:
name: rpcbind.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("rpcbind.socket", multiline=True)
tags:
- CCE-84245-0
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.4
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- service_rpcbind_disabled
- special_service_block
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- service_rpcbind_disabled | bool
- special_service_block | bool
- '"kernel-core" in ansible_facts.packages'
- name: Disable Network File System (nfs) - Disable service nfs-server
block:
- name: Disable Network File System (nfs) - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable Network File System (nfs) - Ensure nfs-server.service is Masked
ansible.builtin.systemd:
name: nfs-server.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("nfs-server.service", multiline=True)
- name: Unit Socket Exists - nfs-server.socket
ansible.builtin.command: systemctl -q list-unit-files nfs-server.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable Network File System (nfs) - Disable Socket nfs-server
ansible.builtin.systemd:
name: nfs-server.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("nfs-server.socket", multiline=True)
tags:
- CCE-90850-9
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- service_nfs_disabled
- special_service_block
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- service_nfs_disabled | bool
- special_service_block | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
- name: Disable the CUPS Service - Disable service cups
block:
- name: Disable the CUPS Service - Collect systemd Services Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable the CUPS Service - Ensure cups.service is Masked
ansible.builtin.systemd:
name: cups.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("cups.service", multiline=True)
- name: Unit Socket Exists - cups.socket
ansible.builtin.command: systemctl -q list-unit-files cups.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable the CUPS Service - Disable Socket cups
ansible.builtin.systemd:
name: cups.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("cups.socket", multiline=True)
tags:
- CCE-90795-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- no_reboot_needed
- service_cups_disabled
- special_service_block
- unknown_severity
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- service_cups_disabled | bool
- special_service_block | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
- name: Enable auditd Service - Enable service auditd
block:
- name: Enable auditd Service - Enable Service auditd
ansible.builtin.systemd:
name: auditd
enabled: true
state: started
masked: false
when:
- '"audit" in ansible_facts.packages'
tags:
- CCE-90829-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653015
- NIST-800-171-3.3.1
- NIST-800-171-3.3.2
- NIST-800-171-3.3.6
- NIST-800-53-AC-2(g)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-10
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(23)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_auditd_enabled
- special_service_block
when:
- DISA_STIG_RHEL_09_653015 | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- service_auditd_enabled | bool
- special_service_block | bool
- '"kernel-core" in ansible_facts.packages'
- '"audit" in ansible_facts.packages'
- name: Gather the service facts
ansible.builtin.service_facts: null
tags:
- always
- name: Build and Test AIDE Database - Check Whether the Stock AIDE Database Exists
ansible.builtin.stat:
path: /var/lib/aide/aide.db.new.gz
register: aide_database_stat
when:
- DISA_STIG_RHEL_09_651010 | bool
- aide_build_database | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83438-2
- CJIS-5.10.1.3
- DISA-STIG-RHEL-09-651010
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Build and Test AIDE Database - Build and Test AIDE Database
ansible.builtin.command: /usr/sbin/aide --init
changed_when: true
when:
- DISA_STIG_RHEL_09_651010 | bool
- aide_build_database | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- not (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists)
register: aide_database_init
tags:
- CCE-83438-2
- CJIS-5.10.1.3
- DISA-STIG-RHEL-09-651010
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Build and Test AIDE Database - Stage AIDE Database
ansible.builtin.copy:
src: /var/lib/aide/aide.db.new.gz
dest: /var/lib/aide/aide.db.gz
backup: true
remote_src: true
when:
- DISA_STIG_RHEL_09_651010 | bool
- aide_build_database | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- aide_database_init is changed
- not ansible_check_mode
tags:
- CCE-83438-2
- CJIS-5.10.1.3
- DISA-STIG-RHEL-09-651010
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_build_database
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set audit_tools fact
ansible.builtin.set_fact:
audit_tools:
- /usr/sbin/auditctl
- /usr/sbin/auditd
- /usr/sbin/augenrules
- /usr/sbin/aureport
- /usr/sbin/ausearch
- /usr/sbin/autrace
- /usr/sbin/rsyslogd
when:
- DISA_STIG_RHEL_09_651025 | bool
- aide_check_audit_tools | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87757-1
- DISA-STIG-RHEL-09-651025
- NIST-800-53-AU-9(3)
- NIST-800-53-AU-9(3).1
- aide_check_audit_tools
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure existing AIDE configuration for audit tools are correct
ansible.builtin.lineinfile:
path: /etc/aide.conf
regexp: ^{{ item }}\s
line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512'
create: true
with_items: '{{ audit_tools }}'
when:
- DISA_STIG_RHEL_09_651025 | bool
- aide_check_audit_tools | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"aide" in ansible_facts.packages'
tags:
- CCE-87757-1
- DISA-STIG-RHEL-09-651025
- NIST-800-53-AU-9(3)
- NIST-800-53-AU-9(3).1
- aide_check_audit_tools
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure AIDE to properly protect audit tools
ansible.builtin.lineinfile:
path: /etc/aide.conf
line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512'
create: true
with_items: '{{ audit_tools }}'
when:
- DISA_STIG_RHEL_09_651025 | bool
- aide_check_audit_tools | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"aide" in ansible_facts.packages'
tags:
- CCE-87757-1
- DISA-STIG-RHEL-09-651025
- NIST-800-53-AU-9(3)
- NIST-800-53-AU-9(3).1
- aide_check_audit_tools
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure Periodic Execution of AIDE
ansible.builtin.cron:
name: run AIDE check
minute: 5
hour: 4
user: root
job: /usr/sbin/aide --check
register: crontab_check
when:
- aide_periodic_cron_checking | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '''cronie'' in ansible_facts.packages'
tags:
- CCE-83437-4
- CJIS-5.10.1.3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-7
- NIST-800-53-SI-7(1)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide_periodic_cron_checking
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHCBC
ansible.builtin.lineinfile:
path: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
owner: root
group: root
mode: '0644'
line: cipher@SSH = -*-CBC
create: true
regexp: cipher@SSH
tags:
- CCE-88900-6
- configure_custom_crypto_policy_cis
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- reboot_required
when:
- configure_custom_crypto_policy_cis | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHWEAKCIPHERS
ansible.builtin.lineinfile:
path: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
owner: root
group: root
mode: '0644'
line: cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
create: true
regexp: cipher@SSH
tags:
- CCE-88900-6
- configure_custom_crypto_policy_cis
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- reboot_required
when:
- configure_custom_crypto_policy_cis | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-SSHWEAKMACS
ansible.builtin.lineinfile:
path: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
owner: root
group: root
mode: '0644'
line: mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*
create: true
regexp: mac@SSH
tags:
- CCE-88900-6
- configure_custom_crypto_policy_cis
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- reboot_required
when:
- configure_custom_crypto_policy_cis | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto policy module NO-WEAKMAC
ansible.builtin.lineinfile:
path: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
owner: root
group: root
mode: '0644'
line: mac = -*-128*
create: true
regexp: mac
tags:
- CCE-88900-6
- configure_custom_crypto_policy_cis
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- reboot_required
when:
- configure_custom_crypto_policy_cis | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Check current crypto policy
ansible.builtin.command: update-crypto-policies --show
register: current_crypto_policy
changed_when: false
failed_when: false
check_mode: false
tags:
- CCE-88900-6
- configure_custom_crypto_policy_cis
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- reboot_required
when:
- configure_custom_crypto_policy_cis | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update crypto-policies
ansible.builtin.command: update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC
when:
- configure_custom_crypto_policy_cis | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- current_crypto_policy.stdout.strip() != "DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC"
tags:
- CCE-88900-6
- configure_custom_crypto_policy_cis
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- name: Configure SSH to use System Crypto Policy
ansible.builtin.lineinfile:
dest: /etc/sysconfig/sshd
state: absent
regexp: (?i)^\s*CRYPTO_POLICY.*$
when:
- configure_ssh_crypto_policy | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83445-7
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_ssh_crypto_policy
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get database modification
time for distro
ansible.builtin.stat:
path: /etc/dconf/db/distro
register: distro_db
when:
- DISA_STIG_RHEL_09_271090 | bool
- dconf_db_up_to_date | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87295-2
- DISA-STIG-RHEL-09-271090
- PCI-DSS-Req-6.2
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_db_up_to_date
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get keyfiles for distro
ansible.builtin.find:
paths: /etc/dconf/db/distro.d/
register: distro_keyfiles
when:
- DISA_STIG_RHEL_09_271090 | bool
- dconf_db_up_to_date | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87295-2
- DISA-STIG-RHEL-09-271090
- PCI-DSS-Req-6.2
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_db_up_to_date
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Run dconf update for distro
ansible.builtin.command:
cmd: dconf update
when:
- DISA_STIG_RHEL_09_271090 | bool
- dconf_db_up_to_date | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not distro_db.stat.exists or distro_keyfiles.files | length > 0 and distro_keyfiles.files | map(attribute='mtime') | max
> distro_db.stat.mtime
tags:
- CCE-87295-2
- DISA-STIG-RHEL-09-271090
- PCI-DSS-Req-6.2
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_db_up_to_date
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get database modification
time for local
ansible.builtin.stat:
path: /etc/dconf/db/local
register: local_db
when:
- DISA_STIG_RHEL_09_271090 | bool
- dconf_db_up_to_date | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87295-2
- DISA-STIG-RHEL-09-271090
- PCI-DSS-Req-6.2
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_db_up_to_date
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Get keyfiles for local
ansible.builtin.find:
paths: /etc/dconf/db/local.d/
register: local_keyfiles
when:
- DISA_STIG_RHEL_09_271090 | bool
- dconf_db_up_to_date | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87295-2
- DISA-STIG-RHEL-09-271090
- PCI-DSS-Req-6.2
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_db_up_to_date
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Make sure that the dconf databases are up-to-date with regards to respective keyfiles - Run dconf update for local
ansible.builtin.command:
cmd: dconf update
when:
- DISA_STIG_RHEL_09_271090 | bool
- dconf_db_up_to_date | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not local_db.stat.exists or local_keyfiles.files | length > 0 and local_keyfiles.files | map(attribute='mtime') | max
> local_db.stat.mtime
tags:
- CCE-87295-2
- DISA-STIG-RHEL-09-271090
- PCI-DSS-Req-6.2
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_db_up_to_date
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Disable the GNOME3 Login User List
community.general.ini_file:
dest: /etc/dconf/db/distro.d/00-security-settings
section: org/gnome/login-screen
option: disable-user-list
value: 'true'
no_extra_spaces: true
create: true
register: result_ini
when:
- DISA_STIG_RHEL_09_271115 | bool
- dconf_gnome_disable_user_list | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-88285-2
- DISA-STIG-RHEL-09-271115
- NIST-800-53-AC-23
- NIST-800-53-CM-6(a)
- dconf_gnome_disable_user_list
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME3 disablement of Login User List
ansible.builtin.lineinfile:
path: /etc/dconf/db/distro.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/disable-user-list$
line: /org/gnome/login-screen/disable-user-list
create: true
register: result_lineinfile
when:
- DISA_STIG_RHEL_09_271115 | bool
- dconf_gnome_disable_user_list | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-88285-2
- DISA-STIG-RHEL-09-271115
- NIST-800-53-AC-23
- NIST-800-53-CM-6(a)
- dconf_gnome_disable_user_list
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271115 | bool
- dconf_gnome_disable_user_list | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed or result_lineinfile is changed
tags:
- CCE-88285-2
- DISA-STIG-RHEL-09-271115
- NIST-800-53-AC-23
- NIST-800-53-CM-6(a)
- dconf_gnome_disable_user_list
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Disable XDMCP in GDM
community.general.ini_file:
path: /etc/gdm/custom.conf
section: xdmcp
option: Enable
value: 'false'
create: true
mode: 420
when:
- gnome_gdm_disable_xdmcp | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-86033-8
- gnome_gdm_disable_xdmcp
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Disable GNOME3 Automounting - automount
community.general.ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/media-handling
option: automount
value: 'false'
create: true
no_extra_spaces: true
register: result_ini
when:
- dconf_gnome_disable_automount | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-87734-0
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- dconf_gnome_disable_automount
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME3 Automounting - automount
ansible.builtin.lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/media-handling/automount$
line: /org/gnome/desktop/media-handling/automount
create: true
register: result_lineinfile
when:
- dconf_gnome_disable_automount | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-87734-0
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- dconf_gnome_disable_automount
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- dconf_gnome_disable_automount | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed or result_lineinfile is changed
tags:
- CCE-87734-0
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- dconf_gnome_disable_automount
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Disable GNOME3 Automounting - automount-open
community.general.ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/media-handling
option: automount-open
value: 'false'
create: true
no_extra_spaces: true
register: result_ini
when:
- DISA_STIG_RHEL_09_271020 | bool
- DISA_STIG_RHEL_09_271025 | bool
- dconf_gnome_disable_automount_open | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-90128-0
- DISA-STIG-RHEL-09-271020
- DISA-STIG-RHEL-09-271025
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- dconf_gnome_disable_automount_open
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME3 Automounting - automount-open
ansible.builtin.lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/media-handling/automount-open$
line: /org/gnome/desktop/media-handling/automount-open
create: true
register: result_lineinfile
when:
- DISA_STIG_RHEL_09_271020 | bool
- DISA_STIG_RHEL_09_271025 | bool
- dconf_gnome_disable_automount_open | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-90128-0
- DISA-STIG-RHEL-09-271020
- DISA-STIG-RHEL-09-271025
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- dconf_gnome_disable_automount_open
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271020 | bool
- DISA_STIG_RHEL_09_271025 | bool
- dconf_gnome_disable_automount_open | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed or result_lineinfile is changed
tags:
- CCE-90128-0
- DISA-STIG-RHEL-09-271020
- DISA-STIG-RHEL-09-271025
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- dconf_gnome_disable_automount_open
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Disable GNOME3 Automounting - autorun-never
community.general.ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/media-handling
option: autorun-never
value: 'true'
create: true
no_extra_spaces: true
register: result_ini
when:
- DISA_STIG_RHEL_09_271030 | bool
- DISA_STIG_RHEL_09_271035 | bool
- dconf_gnome_disable_autorun | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-90257-7
- DISA-STIG-RHEL-09-271030
- DISA-STIG-RHEL-09-271035
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- dconf_gnome_disable_autorun
- low_complexity
- low_severity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME3 Automounting - autorun-never
ansible.builtin.lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/media-handling/autorun-never$
line: /org/gnome/desktop/media-handling/autorun-never
create: true
register: result_lineinfile
when:
- DISA_STIG_RHEL_09_271030 | bool
- DISA_STIG_RHEL_09_271035 | bool
- dconf_gnome_disable_autorun | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-90257-7
- DISA-STIG-RHEL-09-271030
- DISA-STIG-RHEL-09-271035
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- dconf_gnome_disable_autorun
- low_complexity
- low_severity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271030 | bool
- DISA_STIG_RHEL_09_271035 | bool
- dconf_gnome_disable_autorun | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed or result_lineinfile is changed
tags:
- CCE-90257-7
- DISA-STIG-RHEL-09-271030
- DISA-STIG-RHEL-09-271035
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- dconf_gnome_disable_autorun
- low_complexity
- low_severity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Set GNOME3 Screensaver Inactivity Timeout
community.general.ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/session
option: idle-delay
value: uint32 {{ inactivity_timeout_value }}
create: true
no_extra_spaces: true
register: result_ini
when:
- DISA_STIG_RHEL_09_271065 | bool
- dconf_gnome_screensaver_idle_delay | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-86510-5
- CJIS-5.5.5
- DISA-STIG-RHEL-09-271065
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_gnome_screensaver_idle_delay
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271065 | bool
- dconf_gnome_screensaver_idle_delay | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed
tags:
- CCE-86510-5
- CJIS-5.5.5
- DISA-STIG-RHEL-09-271065
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_gnome_screensaver_idle_delay
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Set GNOME3 Screensaver Lock Delay After Activation Period
community.general.ini_file:
dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/screensaver
option: lock-delay
value: uint32 {{ var_screensaver_lock_delay }}
create: true
no_extra_spaces: true
register: result_ini
when:
- DISA_STIG_RHEL_09_271075 | bool
- dconf_gnome_screensaver_lock_delay | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-86954-5
- DISA-STIG-RHEL-09-271075
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_gnome_screensaver_lock_delay
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271075 | bool
- dconf_gnome_screensaver_lock_delay | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed
tags:
- CCE-86954-5
- DISA-STIG-RHEL-09-271075
- NIST-800-171-3.1.10
- NIST-800-53-AC-11(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_gnome_screensaver_lock_delay
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME lock-delay
ansible.builtin.lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/screensaver/lock-delay$
line: /org/gnome/desktop/screensaver/lock-delay
create: true
register: result_lineinfile
when:
- DISA_STIG_RHEL_09_271080 | bool
- dconf_gnome_screensaver_user_locks | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-87491-7
- DISA-STIG-RHEL-09-271080
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- dconf_gnome_screensaver_user_locks
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271080 | bool
- dconf_gnome_screensaver_user_locks | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_lineinfile is changed
tags:
- CCE-87491-7
- DISA-STIG-RHEL-09-271080
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- dconf_gnome_screensaver_user_locks
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME Session idle-delay
ansible.builtin.lineinfile:
path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/session/idle-delay$
line: /org/gnome/desktop/session/idle-delay
create: true
register: result_lineinfile
when:
- DISA_STIG_RHEL_09_271070 | bool
- dconf_gnome_session_idle_user_locks | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-85971-0
- DISA-STIG-RHEL-09-271070
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_gnome_session_idle_user_locks
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271070 | bool
- dconf_gnome_session_idle_user_locks | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_lineinfile is changed
tags:
- CCE-85971-0
- DISA-STIG-RHEL-09-271070
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- dconf_gnome_session_idle_user_locks
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Ensure use_pty is enabled in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\buse_pty\b.*$
line: Defaults use_pty
validate: /usr/sbin/visudo -cf %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_add_use_pty | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
tags:
- CCE-83538-9
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_add_use_pty
- name: Ensure logfile is enabled with the appropriate value in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?.+\b(.*)$
line: Defaults \1logfile={{ var_sudo_logfile }}\2
validate: /usr/sbin/visudo -cf %s
backrefs: true
register: edit_sudoers_logfile_option
when:
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_custom_logfile | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
tags:
- CCE-83527-2
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sudo_custom_logfile
- name: Enable logfile option with appropriate value in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
line: Defaults logfile={{ var_sudo_logfile }}
validate: /usr/sbin/visudo -cf %s
when:
- low_complexity | bool
- low_disruption | bool
- low_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_custom_logfile | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
- edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed
tags:
- CCE-83527-2
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sudo_custom_logfile
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_authentication | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83543-9
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Remove lines containing NOPASSWD from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_authentication | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83543-9
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_authentication | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83543-9
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Remove lines containing !authenticate from sudoers files
ansible.builtin.replace:
regexp: (^(?!#).*[\s]+\!authenticate.*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_authentication | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83543-9
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
- name: Require Re-Authentication When Using the sudo Command - Find /etc/sudoers.d/* files containing 'Defaults timestamp_timeout'
ansible.builtin.find:
path: /etc/sudoers.d
patterns: '*'
contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
register: sudoers_d_defaults_timestamp_timeout
when:
- DISA_STIG_RHEL_09_432015 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_reauthentication | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
tags:
- CCE-90029-0
- DISA-STIG-RHEL-09-432015
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_reauthentication
- name: Require Re-Authentication When Using the sudo Command - Remove 'Defaults timestamp_timeout' from /etc/sudoers.d/*
files
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
state: absent
with_items: '{{ sudoers_d_defaults_timestamp_timeout.files }}'
when:
- DISA_STIG_RHEL_09_432015 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_reauthentication | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
tags:
- CCE-90029-0
- DISA-STIG-RHEL-09-432015
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_reauthentication
- name: Require Re-Authentication When Using the sudo Command - Ensure timestamp_timeout has the appropriate value in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$
line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2
validate: /usr/sbin/visudo -cf %s
backrefs: true
register: edit_sudoers_timestamp_timeout_option
when:
- DISA_STIG_RHEL_09_432015 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_reauthentication | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
tags:
- CCE-90029-0
- DISA-STIG-RHEL-09-432015
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_reauthentication
- name: Require Re-Authentication When Using the sudo Command - Enable timestamp_timeout option with correct value in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}
validate: /usr/sbin/visudo -cf %s
when:
- DISA_STIG_RHEL_09_432015 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_reauthentication | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
- 'edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
'
tags:
- CCE-90029-0
- DISA-STIG-RHEL-09-432015
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_reauthentication
- name: Require Re-Authentication When Using the sudo Command - Remove timestamp_timeout wrong values in /etc/sudoers
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!{{ var_sudo_timestamp_timeout }}\b)[-]?\w+\b.*$
state: absent
validate: /usr/sbin/visudo -cf %s
when:
- DISA_STIG_RHEL_09_432015 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sudo_require_reauthentication | bool
- '"kernel-core" in ansible_facts.packages'
- '"sudo" in ansible_facts.packages'
tags:
- CCE-90029-0
- DISA-STIG-RHEL-09-432015
- NIST-800-53-IA-11
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sudo_require_reauthentication
- name: Ensure GPG check is globally activated
community.general.ini_file:
dest: /etc/dnf/dnf.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when:
- DISA_STIG_RHEL_09_214015 | bool
- configure_strategy | bool
- ensure_gpgcheck_globally_activated | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- '"dnf" in ansible_facts.packages'
tags:
- CCE-83457-2
- CJIS-5.10.4.1
- DISA-STIG-RHEL-09-214015
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- configure_strategy
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Grep for dnf repo section names
ansible.builtin.shell: 'set -o pipefail
grep -HEr ''^\[.+\]'' -r /etc/yum.repos.d/
'
register: repo_grep_results
failed_when: repo_grep_results.rc not in [0, 1]
changed_when: false
tags:
- CCE-83464-8
- CJIS-5.10.4.1
- DISA-STIG-RHEL-09-214025
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_214025 | bool
- enable_strategy | bool
- ensure_gpgcheck_never_disabled | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- name: Set gpgcheck=1 for each dnf repo
community.general.ini_file:
path: '{{ item[0] }}'
section: '{{ item[1] }}'
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) if repo_grep_results is not skipped else
[] }}'
when:
- DISA_STIG_RHEL_09_214025 | bool
- enable_strategy | bool
- ensure_gpgcheck_never_disabled | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- repo_grep_results is not skipped
tags:
- CCE-83464-8
- CJIS-5.10.4.1
- DISA-STIG-RHEL-09-214025
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Enable authselect - Check Current authselect Profile
ansible.builtin.command:
cmd: authselect current
register: result_authselect_current
changed_when: false
failed_when: false
when:
- DISA_STIG_needed_rules | bool
- configure_strategy | bool
- enable_authselect | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-89732-2
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Try to Select an authselect Profile
ansible.builtin.command:
cmd: authselect select "{{ var_authselect_profile }}"
register: result_authselect_select
changed_when: result_authselect_select.rc == 0
failed_when: false
when:
- DISA_STIG_needed_rules | bool
- configure_strategy | bool
- enable_authselect | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_authselect_current.rc != 0
tags:
- CCE-89732-2
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Verify If pam Has Been Altered
ansible.builtin.command:
cmd: rpm -qV pam
register: result_altered_authselect
changed_when: false
failed_when: false
when:
- DISA_STIG_needed_rules | bool
- configure_strategy | bool
- enable_authselect | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_authselect_select is not skipped
- result_authselect_select.rc != 0
tags:
- CCE-89732-2
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Informative Message Based on authselect Integrity Check
ansible.builtin.assert:
that:
- result_authselect_current.rc == 0 or result_altered_authselect is skipped or result_altered_authselect.rc == 0
fail_msg:
- authselect is not used but files from the 'pam' package have been altered, so the authselect configuration won't be
forced.
when:
- DISA_STIG_needed_rules | bool
- configure_strategy | bool
- enable_authselect | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-89732-2
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Force authselect Profile Selection
ansible.builtin.command:
cmd: authselect select --force "{{ var_authselect_profile }}"
when:
- DISA_STIG_needed_rules | bool
- configure_strategy | bool
- enable_authselect | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_authselect_current.rc != 0
- result_authselect_select.rc != 0
- result_altered_authselect.rc == 0
tags:
- CCE-89732-2
- DISA-STIG-needed_rules
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Ensure Local Login Warning Banner Is Configured Properly - Copy using inline content
ansible.builtin.copy:
content: '{{ cis_banner_text }}'
dest: /etc/issue
when:
- banner_etc_issue_cis | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86142-7
- banner_etc_issue_cis
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure Remote Login Warning Banner Is Configured Properly - Copy using inline content
ansible.builtin.copy:
content: '{{ cis_banner_text }}'
dest: /etc/issue.net
when:
- banner_etc_issue_net_cis | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86143-5
- banner_etc_issue_net_cis
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure Message Of The Day Is Configured Properly - Copy using inline content
ansible.builtin.copy:
content: '{{ cis_banner_text }}'
dest: /etc/motd
when:
- banner_etc_motd_cis | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86141-9
- banner_etc_motd_cis
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set the file_groupowner_etc_issue_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_issue_newgroup: '0'
tags:
- CCE-86699-6
- configure_strategy
- file_groupowner_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/issue
ansible.builtin.stat:
path: /etc/issue
register: file_exists
tags:
- CCE-86699-6
- configure_strategy
- file_groupowner_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/issue
ansible.builtin.file:
path: /etc/issue
follow: false
group: '{{ file_groupowner_etc_issue_newgroup }}'
when:
- configure_strategy | bool
- file_groupowner_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86699-6
- configure_strategy
- file_groupowner_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_issue_net_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_issue_net_newgroup: '0'
tags:
- CCE-86052-8
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_groupowner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/issue.net
ansible.builtin.stat:
path: /etc/issue.net
register: file_exists
tags:
- CCE-86052-8
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_groupowner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/issue.net
ansible.builtin.file:
path: /etc/issue.net
follow: false
group: '{{ file_groupowner_etc_issue_net_newgroup }}'
when:
- configure_strategy | bool
- file_groupowner_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86052-8
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_groupowner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_motd_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_motd_newgroup: '0'
tags:
- CCE-86697-0
- configure_strategy
- file_groupowner_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/motd
ansible.builtin.stat:
path: /etc/motd
register: file_exists
tags:
- CCE-86697-0
- configure_strategy
- file_groupowner_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/motd
ansible.builtin.file:
path: /etc/motd
follow: false
group: '{{ file_groupowner_etc_motd_newgroup }}'
when:
- configure_strategy | bool
- file_groupowner_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86697-0
- configure_strategy
- file_groupowner_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_issue_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_issue_newown: '0'
tags:
- CCE-86700-2
- configure_strategy
- file_owner_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/issue
ansible.builtin.stat:
path: /etc/issue
register: file_exists
tags:
- CCE-86700-2
- configure_strategy
- file_owner_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/issue
ansible.builtin.file:
path: /etc/issue
follow: false
owner: '{{ file_owner_etc_issue_newown }}'
when:
- configure_strategy | bool
- file_owner_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86700-2
- configure_strategy
- file_owner_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_issue_net_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_issue_net_newown: '0'
tags:
- CCE-86057-7
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_owner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/issue.net
ansible.builtin.stat:
path: /etc/issue.net
register: file_exists
tags:
- CCE-86057-7
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_owner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/issue.net
ansible.builtin.file:
path: /etc/issue.net
follow: false
owner: '{{ file_owner_etc_issue_net_newown }}'
when:
- configure_strategy | bool
- file_owner_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86057-7
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_owner_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_motd_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_motd_newown: '0'
tags:
- CCE-86698-8
- configure_strategy
- file_owner_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/motd
ansible.builtin.stat:
path: /etc/motd
register: file_exists
tags:
- CCE-86698-8
- configure_strategy
- file_owner_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/motd
ansible.builtin.file:
path: /etc/motd
follow: false
owner: '{{ file_owner_etc_motd_newown }}'
when:
- configure_strategy | bool
- file_owner_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86698-8
- configure_strategy
- file_owner_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/issue
ansible.builtin.stat:
path: /etc/issue
register: file_exists
tags:
- CCE-83551-2
- configure_strategy
- file_permissions_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_permissions_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/issue
ansible.builtin.file:
path: /etc/issue
mode: u-xs,g-xws,o-xwt
when:
- configure_strategy | bool
- file_permissions_etc_issue | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83551-2
- configure_strategy
- file_permissions_etc_issue
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/issue.net
ansible.builtin.stat:
path: /etc/issue.net
register: file_exists
tags:
- CCE-86048-6
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_permissions_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_permissions_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/issue.net
ansible.builtin.file:
path: /etc/issue.net
mode: u-xs,g-xws,o-xwt
when:
- configure_strategy | bool
- file_permissions_etc_issue_net | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86048-6
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.8
- configure_strategy
- file_permissions_etc_issue_net
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/motd
ansible.builtin.stat:
path: /etc/motd
register: file_exists
tags:
- CCE-83554-6
- configure_strategy
- file_permissions_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_permissions_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/motd
ansible.builtin.file:
path: /etc/motd
mode: u-xs,g-xws,o-xwt
when:
- configure_strategy | bool
- file_permissions_etc_motd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83554-6
- configure_strategy
- file_permissions_etc_motd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Enable GNOME3 Login Warning Banner
community.general.ini_file:
dest: /etc/dconf/db/distro.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-enable
value: 'true'
create: true
no_extra_spaces: true
register: result_ini
when:
- DISA_STIG_RHEL_09_271010 | bool
- DISA_STIG_RHEL_09_271015 | bool
- dconf_gnome_banner_enabled | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-87599-7
- DISA-STIG-RHEL-09-271010
- DISA-STIG-RHEL-09-271015
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(b)
- NIST-800-53-AC-8(c)
- dconf_gnome_banner_enabled
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of GNOME banner-message-enabled
ansible.builtin.lineinfile:
path: /etc/dconf/db/distro.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/banner-message-enable$
line: /org/gnome/login-screen/banner-message-enable
create: true
register: result_lineinfile
when:
- DISA_STIG_RHEL_09_271010 | bool
- DISA_STIG_RHEL_09_271015 | bool
- dconf_gnome_banner_enabled | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-87599-7
- DISA-STIG-RHEL-09-271010
- DISA-STIG-RHEL-09-271015
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(b)
- NIST-800-53-AC-8(c)
- dconf_gnome_banner_enabled
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_271010 | bool
- DISA_STIG_RHEL_09_271015 | bool
- dconf_gnome_banner_enabled | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed or result_lineinfile is changed
tags:
- CCE-87599-7
- DISA-STIG-RHEL-09-271010
- DISA-STIG-RHEL-09-271015
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(b)
- NIST-800-53-AC-8(c)
- dconf_gnome_banner_enabled
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Set the GNOME3 Login Warning Banner Text
ansible.builtin.file:
path: /etc/dconf/db/{{ item }}
owner: root
group: root
mode: 493
state: directory
with_items:
- distro.d
- distro.d/locks
when:
- DISA_STIG_RHEL_09_171011 | bool
- dconf_gnome_login_banner_text | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-86529-5
- DISA-STIG-RHEL-09-171011
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- dconf_gnome_login_banner_text
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Set the GNOME3 Login Warning Banner Text
ansible.builtin.file:
path: /etc/dconf/db/distro.d/{{ item }}
owner: root
group: root
mode: 420
state: touch
with_items:
- 00-security-settings
- locks/00-security-settings-lock
when:
- DISA_STIG_RHEL_09_171011 | bool
- dconf_gnome_login_banner_text | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-86529-5
- DISA-STIG-RHEL-09-171011
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- dconf_gnome_login_banner_text
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Set the GNOME3 Login Warning Banner Text
community.general.ini_file:
dest: /etc/dconf/db/distro.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-text
value: '''{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$", "\1") | regex_replace("\[\\s\\n\]\+","
") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)*") | regex_replace("\\", "") | regex_replace("\(n\)\*",
"\\n") }}'''
create: true
no_extra_spaces: true
register: result_ini
when:
- DISA_STIG_RHEL_09_171011 | bool
- dconf_gnome_login_banner_text | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-86529-5
- DISA-STIG-RHEL-09-171011
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- dconf_gnome_login_banner_text
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Prevent user modification of the GNOME3 Login Warning Banner Text
ansible.builtin.lineinfile:
path: /etc/dconf/db/distro.d/locks/00-security-settings-lock
regexp: ^/org/gnome/login-screen/banner-message-text$
line: /org/gnome/login-screen/banner-message-text
create: true
state: present
register: result_lineinfile
when:
- DISA_STIG_RHEL_09_171011 | bool
- dconf_gnome_login_banner_text | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
tags:
- CCE-86529-5
- DISA-STIG-RHEL-09-171011
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- dconf_gnome_login_banner_text
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Dconf Update
ansible.builtin.command: dconf update
when:
- DISA_STIG_RHEL_09_171011 | bool
- dconf_gnome_login_banner_text | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"gdm" in ansible_facts.packages'
- result_ini is changed or result_lineinfile is changed
tags:
- CCE-86529-5
- DISA-STIG-RHEL-09-171011
- NIST-800-171-3.1.9
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- dconf_gnome_login_banner_text
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Check if system relies on
authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- DISA_STIG_RHEL_09_611035 | bool
- account_password_pam_faillock_password_auth | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86932-1
- DISA-STIG-RHEL-09-611035
- NIST-800-53-AC-7 (a)
- account_password_pam_faillock_password_auth
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Remediation where authselect
tool is present
block:
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Ensure "with-faillock" feature
is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- DISA_STIG_RHEL_09_611035 | bool
- account_password_pam_faillock_password_auth | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-86932-1
- DISA-STIG-RHEL-09-611035
- NIST-800-53-AC-7 (a)
- account_password_pam_faillock_password_auth
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Remediation where authselect
tool is not present
block:
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Enable pam_faillock.so preauth
editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Enable pam_faillock.so authfail
editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File. - Enable pam_faillock.so account
section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- DISA_STIG_RHEL_09_611035 | bool
- account_password_pam_faillock_password_auth | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CCE-86932-1
- DISA-STIG-RHEL-09-611035
- NIST-800-53-AC-7 (a)
- account_password_pam_faillock_password_auth
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Check if system relies on authselect
tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- DISA_STIG_RHEL_09_611030 | bool
- account_password_pam_faillock_system_auth | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86917-2
- DISA-STIG-RHEL-09-611030
- NIST-800-53-AC-7 (a)
- account_password_pam_faillock_system_auth
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Remediation where authselect
tool is present
block:
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Ensure "with-faillock" feature
is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- DISA_STIG_RHEL_09_611030 | bool
- account_password_pam_faillock_system_auth | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-86917-2
- DISA-STIG-RHEL-09-611030
- NIST-800-53-AC-7 (a)
- account_password_pam_faillock_system_auth
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Remediation where authselect
tool is not present
block:
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Check if pam_faillock.so is
already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Enable pam_faillock.so preauth
editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Enable pam_faillock.so authfail
editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File. - Enable pam_faillock.so account
section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- DISA_STIG_RHEL_09_611030 | bool
- account_password_pam_faillock_system_auth | bool
- enable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CCE-86917-2
- DISA-STIG-RHEL-09-611030
- NIST-800-53-AC-7 (a)
- account_password_pam_faillock_system_auth
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- accounts_password_pam_pwhistory_remember_password_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-86354-8
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_password_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: password-auth - Collect the available authselect features'
ansible.builtin.command:
cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
check_mode: false
when:
- accounts_password_pam_pwhistory_remember_password_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-86354-8
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_password_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so using authselect feature'
block:
- name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: password-auth - Get authselect current features'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: password-auth - Ensure "with-pwhistory" feature is enabled using authselect tool'
ansible.builtin.command:
cmd: authselect enable-feature with-pwhistory
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-pwhistory")
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- accounts_password_pam_pwhistory_remember_password_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
- result_authselect_available_features.stdout is search("with-pwhistory")
tags:
- CCE-86354-8
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_password_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: password-auth - Enable pam_pwhistory.so in appropriate PAM files'
block:
- name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact'
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present'
block:
- name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: password-auth - Get authselect current profile'
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created'
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on sssd profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected'
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile'
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile'
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0] }}'
- name: 'Limit Password Reuse: password-auth - Check if expected PAM module line is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: 'Limit Password Reuse: password-auth - Include or update the PAM module line in {{ pam_file_path }}'
block:
- name: 'Limit Password Reuse: password-auth - Check if required PAM module line is present in {{ pam_file_path }} with
different control'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: 'Limit Password Reuse: password-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path
}}'
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: 'Limit Password Reuse: password-auth - Ensure the required PAM module line is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\
\ result_pam_module_edit.changed)"
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
when:
- accounts_password_pam_pwhistory_remember_password_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory"))
or result_authselect_available_features is not defined
'
tags:
- CCE-86354-8
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_password_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: password-auth - Check the presence of /etc/security/pwhistory.conf file'
ansible.builtin.stat:
path: /etc/security/pwhistory.conf
register: result_pwhistory_conf_check
when:
- accounts_password_pam_pwhistory_remember_password_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-86354-8
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_password_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf
file'
block:
- name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember parameter in /etc/security/pwhistory.conf'
ansible.builtin.lineinfile:
path: /etc/security/pwhistory.conf
regexp: ^\s*remember\s*=
line: remember = {{ var_password_pam_remember }}
state: present
- name: 'Limit Password Reuse: password-auth - Ensure the pam_pwhistory.so remember parameter is removed from PAM files'
block:
- name: 'Limit Password Reuse: password-auth - Check if /etc/pam.d/password-auth file is present'
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_file_present
- name: 'Limit Password Reuse: password-auth - Check the proper remediation for the system'
block:
- name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact'
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present'
block:
- name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile
is not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile
is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: password-auth - Get authselect current profile'
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created'
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on sssd profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected'
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile'
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect
profile'
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: ''
- name: 'Limit Password Reuse: password-auth - Check if {{ pam_file_path }} file is present'
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: 'Limit Password Reuse: password-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in
{{ pam_file_path }}'
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
when:
- accounts_password_pam_pwhistory_remember_password_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_pwhistory_conf_check.stat.exists
tags:
- CCE-86354-8
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_password_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: password-auth - pam_pwhistory.so parameters are configured in PAM files'
block:
- name: 'Limit Password Reuse: password-auth - Define the PAM file to be edited as a local fact'
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: 'Limit Password Reuse: password-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: 'Limit Password Reuse: password-auth - Ensure authselect custom profile is used if authselect is present'
block:
- name: 'Limit Password Reuse: password-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: password-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: password-auth - Get authselect current profile'
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: password-auth - Define the current authselect profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: 'Limit Password Reuse: password-auth - Define the new authselect custom profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Get authselect current features to also enable them in the custom profile'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Check if any custom profile with the same name was already created'
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on the current profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Create an authselect custom profile based on sssd profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: password-auth - Ensure the authselect custom profile is selected'
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: password-auth - Restore the authselect features in the custom profile'
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: 'Limit Password Reuse: password-auth - Change the PAM file to be edited according to the custom authselect profile'
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: requisite
- name: 'Limit Password Reuse: password-auth - Check if expected PAM module line is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: 'Limit Password Reuse: password-auth - Include or update the PAM module line in {{ pam_file_path }}'
block:
- name: 'Limit Password Reuse: password-auth - Check if required PAM module line is present in {{ pam_file_path }} with
different control'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: 'Limit Password Reuse: password-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path
}}'
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: 'Limit Password Reuse: password-auth - Ensure the required PAM module line is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\
\ result_pam_module_edit.changed)"
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: 'Limit Password Reuse: password-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: requisite
- name: 'Limit Password Reuse: password-auth - Check if the required PAM module option is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present
- name: 'Limit Password Reuse: password-auth - Ensure the "remember" PAM option for "pam_pwhistory.so" is included in {{
pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_add
when:
- result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found is defined
- result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found == 0
- name: 'Limit Password Reuse: password-auth - Ensure the required value for "remember" PAM option from "pam_pwhistory.so"
in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_edit
when:
- result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found > 0
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or (result_pam_remember_edit is defined and
result_pam_remember_edit.changed)
when:
- accounts_password_pam_pwhistory_remember_password_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_pwhistory_conf_check.stat.exists
tags:
- CCE-86354-8
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_password_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- accounts_password_pam_pwhistory_remember_system_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-89176-2
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_system_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: system-auth - Collect the available authselect features'
ansible.builtin.command:
cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
check_mode: false
when:
- accounts_password_pam_pwhistory_remember_system_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-89176-2
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_system_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so using authselect feature'
block:
- name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: system-auth - Get authselect current features'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: system-auth - Ensure "with-pwhistory" feature is enabled using authselect tool'
ansible.builtin.command:
cmd: authselect enable-feature with-pwhistory
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-pwhistory")
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- accounts_password_pam_pwhistory_remember_system_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
- result_authselect_available_features.stdout is search("with-pwhistory")
tags:
- CCE-89176-2
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_system_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: system-auth - Enable pam_pwhistory.so in appropriate PAM files'
block:
- name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact'
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present'
block:
- name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: system-auth - Get authselect current profile'
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created'
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on sssd profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected'
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile'
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile'
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0] }}'
- name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: 'Limit Password Reuse: system-auth - Include or update the PAM module line in {{ pam_file_path }}'
block:
- name: 'Limit Password Reuse: system-auth - Check if required PAM module line is present in {{ pam_file_path }} with
different control'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: 'Limit Password Reuse: system-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path
}}'
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: 'Limit Password Reuse: system-auth - Ensure the required PAM module line is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\
\ result_pam_module_edit.changed)"
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
when:
- accounts_password_pam_pwhistory_remember_system_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- '(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory"))
or result_authselect_available_features is not defined
'
tags:
- CCE-89176-2
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_system_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: system-auth - Check the presence of /etc/security/pwhistory.conf file'
ansible.builtin.stat:
path: /etc/security/pwhistory.conf
register: result_pwhistory_conf_check
when:
- accounts_password_pam_pwhistory_remember_system_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-89176-2
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_system_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf file'
block:
- name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember parameter in /etc/security/pwhistory.conf'
ansible.builtin.lineinfile:
path: /etc/security/pwhistory.conf
regexp: ^\s*remember\s*=
line: remember = {{ var_password_pam_remember }}
state: present
- name: 'Limit Password Reuse: system-auth - Ensure the pam_pwhistory.so remember parameter is removed from PAM files'
block:
- name: 'Limit Password Reuse: system-auth - Check if /etc/pam.d/system-auth file is present'
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_file_present
- name: 'Limit Password Reuse: system-auth - Check the proper remediation for the system'
block:
- name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact'
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present'
block:
- name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile
is not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile
is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: system-auth - Get authselect current profile'
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created'
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on sssd profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected'
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile'
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile'
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: ''
- name: 'Limit Password Reuse: system-auth - Check if {{ pam_file_path }} file is present'
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: 'Limit Password Reuse: system-auth - Ensure the "remember" option from "pam_pwhistory.so" is not present in
{{ pam_file_path }}'
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
when:
- accounts_password_pam_pwhistory_remember_system_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_pwhistory_conf_check.stat.exists
tags:
- CCE-89176-2
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_system_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: 'Limit Password Reuse: system-auth - pam_pwhistory.so parameters are configured in PAM files'
block:
- name: 'Limit Password Reuse: system-auth - Define the PAM file to be edited as a local fact'
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: 'Limit Password Reuse: system-auth - Check if system relies on authselect tool'
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: 'Limit Password Reuse: system-auth - Ensure authselect custom profile is used if authselect is present'
block:
- name: 'Limit Password Reuse: system-auth - Check integrity of authselect current profile'
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: 'Limit Password Reuse: system-auth - Informative message based on the authselect integrity check result'
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: 'Limit Password Reuse: system-auth - Get authselect current profile'
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: 'Limit Password Reuse: system-auth - Define the current authselect profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: 'Limit Password Reuse: system-auth - Define the new authselect custom profile as a local fact'
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Get authselect current features to also enable them in the custom profile'
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Check if any custom profile with the same name was already created'
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on the current profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Create an authselect custom profile based on sssd profile'
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: system-auth - Ensure the authselect custom profile is selected'
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: 'Limit Password Reuse: system-auth - Restore the authselect features in the custom profile'
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: 'Limit Password Reuse: system-auth - Change the PAM file to be edited according to the custom authselect profile'
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: requisite
- name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: 'Limit Password Reuse: system-auth - Include or update the PAM module line in {{ pam_file_path }}'
block:
- name: 'Limit Password Reuse: system-auth - Check if required PAM module line is present in {{ pam_file_path }} with
different control'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: 'Limit Password Reuse: system-auth - Ensure the correct control for the required PAM module line in {{ pam_file_path
}}'
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: 'Limit Password Reuse: system-auth - Ensure the required PAM module line is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\
\ result_pam_module_edit.changed)"
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered in case filters are used'
ansible.builtin.set_fact:
pam_module_control: requisite
- name: 'Limit Password Reuse: system-auth - Check if the required PAM module option is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present
- name: 'Limit Password Reuse: system-auth - Ensure the "remember" PAM option for "pam_pwhistory.so" is included in {{ pam_file_path
}}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_add
when:
- result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found is defined
- result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found == 0
- name: 'Limit Password Reuse: system-auth - Ensure the required value for "remember" PAM option from "pam_pwhistory.so"
in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_edit
when:
- result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found > 0
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or (result_pam_remember_edit is defined and
result_pam_remember_edit.changed)
when:
- accounts_password_pam_pwhistory_remember_system_auth | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_pwhistory_conf_check.stat.exists
tags:
- CCE-89176-2
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_pwhistory_remember_system_auth
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- DISA_STIG_RHEL_09_411075 | bool
- accounts_passwords_pam_faillock_deny | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83587-6
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411075
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Remediation where authselect tool is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- DISA_STIG_RHEL_09_411075 | bool
- accounts_passwords_pam_faillock_deny | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-83587-6
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411075
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Remediation where authselect tool is not present
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- DISA_STIG_RHEL_09_411075 | bool
- accounts_passwords_pam_faillock_deny | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CCE-83587-6
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411075
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- DISA_STIG_RHEL_09_411075 | bool
- accounts_passwords_pam_faillock_deny | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83587-6
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411075
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so deny parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*deny\s*=
line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
state: present
when:
- DISA_STIG_RHEL_09_411075 | bool
- accounts_passwords_pam_faillock_deny | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CCE-83587-6
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411075
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so deny parameter not in PAM files
block:
- name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Check the proper remediation for the system
block:
- name: Lock Accounts After Failed Password Attempts - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Lock Accounts After Failed Password Attempts - Ensure authselect custom profile is used if authselect is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is
recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Lock Accounts After Failed Password Attempts - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Get authselect current features to also enable them in the custom
profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Lock Accounts After Failed Password Attempts - Change the PAM file to be edited according to the custom authselect
profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Define a fact for control already filtered in case filters are
used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option from "pam_faillock.so" is not present
in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Check the proper remediation for the system
block:
- name: Lock Accounts After Failed Password Attempts - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Lock Accounts After Failed Password Attempts - Ensure authselect custom profile is used if authselect is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is
recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Lock Accounts After Failed Password Attempts - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Get authselect current features to also enable them in the custom
profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Lock Accounts After Failed Password Attempts - Change the PAM file to be edited according to the custom authselect
profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Define a fact for control already filtered in case filters are
used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option from "pam_faillock.so" is not present
in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
when:
- DISA_STIG_RHEL_09_411075 | bool
- accounts_passwords_pam_faillock_deny | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CCE-83587-6
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411075
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so deny parameter in PAM files
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so deny parameter is already enabled in pam
files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_deny_parameter_is_present
- name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so preauth deny parameter in
auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so authfail deny parameter in
auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- name: Lock Accounts After Failed Password Attempts - Ensure the desired value for pam_faillock.so preauth deny parameter
in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
- name: Lock Accounts After Failed Password Attempts - Ensure the desired value for pam_faillock.so authfail deny parameter
in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
when:
- DISA_STIG_RHEL_09_411075 | bool
- accounts_passwords_pam_faillock_deny | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_faillock_conf_check.stat.exists
tags:
- CCE-83587-6
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411075
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- DISA_STIG_RHEL_09_411080 | bool
- accounts_passwords_pam_faillock_deny_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83589-2
- DISA-STIG-RHEL-09-411080
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Remediation where authselect tool is present
block:
- name: Configure the root Account for Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Configure the root Account for Failed Password Attempts - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Configure the root Account for Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect
tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- DISA_STIG_RHEL_09_411080 | bool
- accounts_passwords_pam_faillock_deny_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-83589-2
- DISA-STIG-RHEL-09-411080
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Remediation where authselect tool is not present
block:
- name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- DISA_STIG_RHEL_09_411080 | bool
- accounts_passwords_pam_faillock_deny_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CCE-83589-2
- DISA-STIG-RHEL-09-411080
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Check the presence of /etc/security/faillock.conf file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- DISA_STIG_RHEL_09_411080 | bool
- accounts_passwords_pam_faillock_deny_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83589-2
- DISA-STIG-RHEL-09-411080
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so even_deny_root parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*even_deny_root
line: even_deny_root
state: present
when:
- DISA_STIG_RHEL_09_411080 | bool
- accounts_passwords_pam_faillock_deny_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CCE-83589-2
- DISA-STIG-RHEL-09-411080
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so even_deny_root parameter not
in PAM files
block:
- name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_file_present
- name: Configure the root Account for Failed Password Attempts - Check the proper remediation for the system
block:
- name: Configure the root Account for Failed Password Attempts - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Configure the root Account for Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Configure the root Account for Failed Password Attempts - Ensure authselect custom profile is used if authselect
is present
block:
- name: Configure the root Account for Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is
recommended.
success_msg:
- authselect integrity check passed
- name: Configure the root Account for Failed Password Attempts - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Configure the root Account for Failed Password Attempts - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Configure the root Account for Failed Password Attempts - Define the new authselect custom profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Get authselect current features to also enable them
in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Check if any custom profile with the same name was
already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on the current
profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on sssd
profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Configure the root Account for Failed Password Attempts - Change the PAM file to be edited according to the
custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Define a fact for control already filtered in case filters
are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Configure the root Account for Failed Password Attempts - Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_file_present
- name: Configure the root Account for Failed Password Attempts - Check the proper remediation for the system
block:
- name: Configure the root Account for Failed Password Attempts - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Configure the root Account for Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Configure the root Account for Failed Password Attempts - Ensure authselect custom profile is used if authselect
is present
block:
- name: Configure the root Account for Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Configure the root Account for Failed Password Attempts - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is
recommended.
success_msg:
- authselect integrity check passed
- name: Configure the root Account for Failed Password Attempts - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Configure the root Account for Failed Password Attempts - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Configure the root Account for Failed Password Attempts - Define the new authselect custom profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Get authselect current features to also enable them
in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Check if any custom profile with the same name was
already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on the current
profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Create an authselect custom profile based on sssd
profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Configure the root Account for Failed Password Attempts - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Configure the root Account for Failed Password Attempts - Change the PAM file to be edited according to the
custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Define a fact for control already filtered in case filters
are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Configure the root Account for Failed Password Attempts - Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: Configure the root Account for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
when:
- DISA_STIG_RHEL_09_411080 | bool
- accounts_passwords_pam_faillock_deny_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CCE-83589-2
- DISA-STIG-RHEL-09-411080
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so even_deny_root parameter in PAM
files
block:
- name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so even_deny_root parameter is already
enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_even_deny_root_parameter_is_present
- name: Configure the root Account for Failed Password Attempts - Ensure the inclusion of pam_faillock.so preauth even_deny_root
parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 even_deny_root
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_even_deny_root_parameter_is_present.found == 0
- name: Configure the root Account for Failed Password Attempts - Ensure the inclusion of pam_faillock.so authfail even_deny_root
parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 even_deny_root
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_even_deny_root_parameter_is_present.found == 0
when:
- DISA_STIG_RHEL_09_411080 | bool
- accounts_passwords_pam_faillock_deny_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_faillock_conf_check.stat.exists
tags:
- CCE-83589-2
- DISA-STIG-RHEL-09-411080
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(c)
- accounts_passwords_pam_faillock_deny_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- DISA_STIG_RHEL_09_411090 | bool
- accounts_passwords_pam_faillock_unlock_time | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83588-4
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411090
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect tool is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock" feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- DISA_STIG_RHEL_09_411090 | bool
- accounts_passwords_pam_faillock_unlock_time | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-83588-4
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411090
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect tool is not present
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- DISA_STIG_RHEL_09_411090 | bool
- accounts_passwords_pam_faillock_unlock_time | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CCE-83588-4
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411090
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- DISA_STIG_RHEL_09_411090 | bool
- accounts_passwords_pam_faillock_unlock_time | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83588-4
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411090
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so unlock_time parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*unlock_time\s*=
line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }}
state: present
when:
- DISA_STIG_RHEL_09_411090 | bool
- accounts_passwords_pam_faillock_unlock_time | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CCE-83588-4
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411090
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so unlock_time parameter not in PAM files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Check the proper remediation for the system
block:
- name: Set Lockout Time for Failed Password Attempts - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check
result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is
recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Get authselect current features to also enable them in the custom
profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Lockout Time for Failed Password Attempts - Change the PAM file to be edited according to the custom authselect
profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Define a fact for control already filtered in case filters are
used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time" option from "pam_faillock.so" is not
present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Check the proper remediation for the system
block:
- name: Set Lockout Time for Failed Password Attempts - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set Lockout Time for Failed Password Attempts - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom profile is used if authselect is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check
result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is
recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Get authselect current features to also enable them in the custom
profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Lockout Time for Failed Password Attempts - Change the PAM file to be edited according to the custom authselect
profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Define a fact for control already filtered in case filters are
used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time" option from "pam_faillock.so" is not
present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: result_pam_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_file_present.stat.exists
when:
- DISA_STIG_RHEL_09_411090 | bool
- accounts_passwords_pam_faillock_unlock_time | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_faillock_conf_check.stat.exists
tags:
- CCE-83588-4
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411090
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so unlock_time parameter in PAM files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so unlock_time parameter is already enabled
in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_unlock_time_parameter_is_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of pam_faillock.so preauth unlock_time parameter
in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found == 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of pam_faillock.so authfail unlock_time parameter
in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found == 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the desired value for pam_faillock.so preauth unlock_time
parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found > 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the desired value for pam_faillock.so authfail unlock_time
parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found > 0
when:
- DISA_STIG_RHEL_09_411090 | bool
- accounts_passwords_pam_faillock_unlock_time | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- not result_faillock_conf_check.stat.exists
tags:
- CCE-83588-4
- CJIS-5.5.3
- DISA-STIG-RHEL-09-411090
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- DISA_STIG_RHEL_09_611105 | bool
- accounts_password_pam_dictcheck | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-88413-0
- DISA-STIG-RHEL-09-611105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_dictcheck
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - Ensure dictcheck is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bdictcheck\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- DISA_STIG_RHEL_09_611105 | bool
- accounts_password_pam_dictcheck | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-88413-0
- DISA-STIG-RHEL-09-611105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_dictcheck
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words - Ensure PAM variable dictcheck is
set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*dictcheck
line: dictcheck = {{ var_password_pam_dictcheck }}
when:
- DISA_STIG_RHEL_09_611105 | bool
- accounts_password_pam_dictcheck | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-88413-0
- DISA-STIG-RHEL-09-611105
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_dictcheck
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters - Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- DISA_STIG_RHEL_09_611115 | bool
- accounts_password_pam_difok | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83564-5
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-611115
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters - Ensure difok is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bdifok\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- DISA_STIG_RHEL_09_611115 | bool
- accounts_password_pam_difok | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83564-5
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-611115
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters - Ensure PAM variable difok is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*difok
line: difok = {{ var_password_pam_difok }}
when:
- DISA_STIG_RHEL_09_611115 | bool
- accounts_password_pam_difok | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83564-5
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-611115
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Enforce for root User
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
create: true
regexp: ''
line: enforce_for_root
state: present
when:
- DISA_STIG_RHEL_09_611060 | bool
- accounts_password_pam_enforce_root | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-86356-3
- DISA-STIG-RHEL-09-611060
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_enforce_root
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- DISA_STIG_RHEL_09_611125 | bool
- accounts_password_pam_maxrepeat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83567-8
- DISA-STIG-RHEL-09-611125
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Ensure maxrepeat is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bmaxrepeat\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- DISA_STIG_RHEL_09_611125 | bool
- accounts_password_pam_maxrepeat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83567-8
- DISA-STIG-RHEL-09-611125
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Ensure PAM variable maxrepeat is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*maxrepeat
line: maxrepeat = {{ var_password_pam_maxrepeat }}
when:
- DISA_STIG_RHEL_09_611125 | bool
- accounts_password_pam_maxrepeat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83567-8
- DISA-STIG-RHEL-09-611125
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Limit the maximum number of sequential characters in passwords - Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- accounts_password_pam_maxsequence | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-86444-7
- accounts_password_pam_maxsequence
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Limit the maximum number of sequential characters in passwords - Ensure maxsequence is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bmaxsequence\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- accounts_password_pam_maxsequence | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-86444-7
- accounts_password_pam_maxsequence
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Limit the maximum number of sequential characters in passwords - Ensure PAM variable maxsequence is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*maxsequence
line: maxsequence = {{ var_password_pam_maxsequence }}
when:
- accounts_password_pam_maxsequence | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-86444-7
- accounts_password_pam_maxsequence
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- DISA_STIG_RHEL_09_611130 | bool
- accounts_password_pam_minclass | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83563-7
- DISA-STIG-RHEL-09-611130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_minclass
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Ensure minclass is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bminclass\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- DISA_STIG_RHEL_09_611130 | bool
- accounts_password_pam_minclass | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83563-7
- DISA-STIG-RHEL-09-611130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_minclass
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Categories - Ensure PAM variable minclass is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*minclass
line: minclass = {{ var_password_pam_minclass }}
when:
- DISA_STIG_RHEL_09_611130 | bool
- accounts_password_pam_minclass | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83563-7
- DISA-STIG-RHEL-09-611130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_minclass
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- DISA_STIG_RHEL_09_611090 | bool
- accounts_password_pam_minlen | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83579-3
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-611090
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure minlen is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bminlen\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- DISA_STIG_RHEL_09_611090 | bool
- accounts_password_pam_minlen | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83579-3
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-611090
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable minlen is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*minlen
line: minlen = {{ var_password_pam_minlen }}
when:
- DISA_STIG_RHEL_09_611090 | bool
- accounts_password_pam_minlen | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"libpwquality" in ansible_facts.packages'
tags:
- CCE-83579-3
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-611090
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Hashing Algorithm in /etc/libuser.conf - Set Password Hashing Algorithm in /etc/libuser.conf
ansible.builtin.lineinfile:
dest: /etc/libuser.conf
insertafter: ^\s*\[defaults]
regexp: ^#?crypt_style
line: crypt_style = {{ var_password_hashing_algorithm_pam }}
state: present
create: true
when:
- DISA_STIG_RHEL_09_611135 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- set_password_hashing_algorithm_libuserconf | bool
- '"kernel-core" in ansible_facts.packages'
- '"libuser" in ansible_facts.packages'
tags:
- CCE-88865-1
- CJIS-5.6.2.2
- DISA-STIG-RHEL-09-611135
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_algorithm_libuserconf
- name: Set Password Hashing Algorithm in /etc/login.defs
ansible.builtin.lineinfile:
dest: /etc/login.defs
regexp: ^#?ENCRYPT_METHOD
line: ENCRYPT_METHOD {{ var_password_hashing_algorithm.split('|')[0] }}
state: present
create: true
when:
- DISA_STIG_RHEL_09_611140 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- set_password_hashing_algorithm_logindefs | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-90590-1
- CJIS-5.6.2.2
- DISA-STIG-RHEL-09-611140
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- set_password_hashing_algorithm_logindefs
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_file_present
when:
- DISA_STIG_RHEL_09_671025 | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_passwordauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-85946-2
- CJIS-5.6.2.2
- DISA-STIG-RHEL-09-671025
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_passwordauth
- name: Set PAM's Password Hashing Algorithm - password-auth - Check the proper remediation for the system
block:
- name: Set PAM's Password Hashing Algorithm - password-auth - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect custom profile is used if authselect is
present
block:
- name: Set PAM's Password Hashing Algorithm - password-auth - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set PAM's Password Hashing Algorithm - password-auth - Informative message based on the authselect integrity check
result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set PAM's Password Hashing Algorithm - password-auth - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current features to also enable them in
the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if any custom profile with the same name was already
created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on the current
profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - password-auth - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set PAM's Password Hashing Algorithm - password-auth - Change the PAM file to be edited according to the custom
authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - password-auth - Define a fact for control already filtered in case filters
are used
ansible.builtin.set_fact:
pam_module_control: sufficient
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if expected PAM module line is present in {{ pam_file_path
}}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Set PAM's Password Hashing Algorithm - password-auth - Include or update the PAM module line in {{ pam_file_path
}}
block:
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if required PAM module line is present in {{ pam_file_path
}} with different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_unix.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the correct control for the required PAM module
line in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_unix.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the required PAM module line is included in {{ pam_file_path
}}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password {{ pam_module_control }} pam_unix.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\
\ result_pam_module_edit.changed)"
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: Set PAM's Password Hashing Algorithm - password-auth - Define a fact for control already filtered in case filters
are used
ansible.builtin.set_fact:
pam_module_control: sufficient
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if the required PAM module option is present in {{
pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*\s{{ var_password_hashing_algorithm_pam
}}\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_set_password_hashing_algorithm_passwordauth_option_present
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the "{{ var_password_hashing_algorithm_pam }}" PAM
option for "pam_unix.so" is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so.*)
line: \1 {{ var_password_hashing_algorithm_pam }}
state: present
register: result_pam_set_password_hashing_algorithm_passwordauth_add
when:
- result_pam_module_set_password_hashing_algorithm_passwordauth_option_present.found is defined
- result_pam_module_set_password_hashing_algorithm_passwordauth_option_present.found == 0
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- "(result_pam_set_password_hashing_algorithm_passwordauth_add is defined and result_pam_set_password_hashing_algorithm_passwordauth_add.changed)\n\
\ or (result_pam_set_password_hashing_algorithm_passwordauth_edit is defined and result_pam_set_password_hashing_algorithm_passwordauth_edit.changed)"
when:
- DISA_STIG_RHEL_09_671025 | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_passwordauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
tags:
- CCE-85946-2
- CJIS-5.6.2.2
- DISA-STIG-RHEL-09-671025
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_passwordauth
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if /etc/pam.d/password-auth File is Present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_file_present
when:
- DISA_STIG_RHEL_09_671025 | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_passwordauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-85946-2
- CJIS-5.6.2.2
- DISA-STIG-RHEL-09-671025
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_passwordauth
- name: Set PAM's Password Hashing Algorithm - password-auth - Check The Proper Remediation For The System
block:
- name: Set PAM's Password Hashing Algorithm - password-auth - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect custom profile is used if authselect is
present
block:
- name: Set PAM's Password Hashing Algorithm - password-auth - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set PAM's Password Hashing Algorithm - password-auth - Informative message based on the authselect integrity check
result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set PAM's Password Hashing Algorithm - password-auth - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Get authselect current features to also enable them in
the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if any custom profile with the same name was already
created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on the current
profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - password-auth - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - password-auth - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set PAM's Password Hashing Algorithm - password-auth - Change the PAM file to be edited according to the custom
authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - password-auth - Check if "{{ pam_file_path }}" File is Present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: pam_file_path_present
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure That Only the Correct Hashing Algorithm Option For
pam_unix.so Is Used in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*)
replace: \1\2
when:
- item != var_password_hashing_algorithm_pam
- pam_file_path_present.stat.exists
loop:
- sha512
- yescrypt
- gost_yescrypt
- blowfish
- sha256
- md5
- bigcrypt
register: result_pam_hashing_options_removal
- name: Set PAM's Password Hashing Algorithm - password-auth - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_hashing_options_removal is changed
when:
- DISA_STIG_RHEL_09_671025 | bool
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_passwordauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
tags:
- CCE-85946-2
- CJIS-5.6.2.2
- DISA-STIG-RHEL-09-671025
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_passwordauth
- name: Set PAM's Password Hashing Algorithm - Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_file_present
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_systemauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83581-9
- CJIS-5.6.2.2
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM's Password Hashing Algorithm - Check the proper remediation for the system
block:
- name: Set PAM's Password Hashing Algorithm - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set PAM's Password Hashing Algorithm - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set PAM's Password Hashing Algorithm - Ensure authselect custom profile is used if authselect is present
block:
- name: Set PAM's Password Hashing Algorithm - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set PAM's Password Hashing Algorithm - Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set PAM's Password Hashing Algorithm - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set PAM's Password Hashing Algorithm - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set PAM's Password Hashing Algorithm - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set PAM's Password Hashing Algorithm - Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: sufficient
- name: Set PAM's Password Hashing Algorithm - Check if expected PAM module line is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Set PAM's Password Hashing Algorithm - Include or update the PAM module line in {{ pam_file_path }}
block:
- name: Set PAM's Password Hashing Algorithm - Check if required PAM module line is present in {{ pam_file_path }} with
different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_unix.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Set PAM's Password Hashing Algorithm - Ensure the correct control for the required PAM module line in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_unix.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Set PAM's Password Hashing Algorithm - Ensure the required PAM module line is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password {{ pam_module_control }} pam_unix.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found > 1
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\
\ result_pam_module_edit.changed)"
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: Set PAM's Password Hashing Algorithm - Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: sufficient
- name: Set PAM's Password Hashing Algorithm - Check if the required PAM module option is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so\s*.*\s{{ var_password_hashing_algorithm_pam
}}\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_set_password_hashing_algorithm_systemauth_option_present
- name: Set PAM's Password Hashing Algorithm - Ensure the "{{ var_password_hashing_algorithm_pam }}" PAM option for "pam_unix.so"
is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_unix.so.*)
line: \1 {{ var_password_hashing_algorithm_pam }}
state: present
register: result_pam_set_password_hashing_algorithm_systemauth_add
when:
- result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found is defined
- result_pam_module_set_password_hashing_algorithm_systemauth_option_present.found == 0
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- "(result_pam_set_password_hashing_algorithm_systemauth_add is defined and result_pam_set_password_hashing_algorithm_systemauth_add.changed)\n\
\ or (result_pam_set_password_hashing_algorithm_systemauth_edit is defined and result_pam_set_password_hashing_algorithm_systemauth_edit.changed)"
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_systemauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
tags:
- CCE-83581-9
- CJIS-5.6.2.2
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM's Password Hashing Algorithm - Check if /etc/pam.d/system-auth File is Present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_file_present
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_systemauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
tags:
- CCE-83581-9
- CJIS-5.6.2.2
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set PAM's Password Hashing Algorithm - Check The Proper Remediation For The System
block:
- name: Set PAM's Password Hashing Algorithm - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set PAM's Password Hashing Algorithm - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set PAM's Password Hashing Algorithm - Ensure authselect custom profile is used if authselect is present
block:
- name: Set PAM's Password Hashing Algorithm - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set PAM's Password Hashing Algorithm - Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is
not intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set PAM's Password Hashing Algorithm - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set PAM's Password Hashing Algorithm - Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set PAM's Password Hashing Algorithm - Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile }}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set PAM's Password Hashing Algorithm - Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set PAM's Password Hashing Algorithm - Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path | basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set PAM's Password Hashing Algorithm - Check if "{{ pam_file_path }}" File is Present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: pam_file_path_present
- name: Set PAM's Password Hashing Algorithm - Ensure That Only the Correct Hashing Algorithm Option For pam_unix.so Is
Used in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (^\s*password.*pam_unix\.so.*)\b{{ item }}\b\s*(.*)
replace: \1\2
when:
- item != var_password_hashing_algorithm_pam
- pam_file_path_present.stat.exists
loop:
- sha512
- yescrypt
- gost_yescrypt
- blowfish
- sha256
- md5
- bigcrypt
register: result_pam_hashing_options_removal
- name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_hashing_options_removal is changed
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- set_password_hashing_algorithm_systemauth | bool
- '"kernel-core" in ansible_facts.packages'
- '"pam" in ansible_facts.packages'
- result_pam_file_present.stat.exists
tags:
- CCE-83581-9
- CJIS-5.6.2.2
- NIST-800-171-3.13.11
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(c)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- set_password_hashing_algorithm_systemauth
- name: Set Account Expiration Following Inactivity
ansible.builtin.lineinfile:
create: true
dest: /etc/default/useradd
regexp: ^INACTIVE
line: INACTIVE={{ var_account_disable_post_pw_expiration }}
when:
- DISA_STIG_RHEL_09_411050 | bool
- account_disable_post_pw_expiration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-83627-0
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-411050
- NIST-800-171-3.5.6
- NIST-800-53-AC-2(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-4(e)
- PCI-DSS-Req-8.1.4
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.6
- account_disable_post_pw_expiration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Age
ansible.builtin.lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MAX_DAYS
line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
when:
- DISA_STIG_RHEL_09_411010 | bool
- accounts_maximum_age_login_defs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-83606-4
- CJIS-5.6.2.1
- DISA-STIG-RHEL-09-411010
- NIST-800-171-3.5.6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_maximum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Minimum Age
ansible.builtin.lineinfile:
create: true
dest: /etc/login.defs
regexp: ^#?PASS_MIN_DAYS
line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}
when:
- DISA_STIG_RHEL_09_611075 | bool
- accounts_minimum_age_login_defs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-83610-6
- CJIS-5.6.2.1.1
- DISA-STIG-RHEL-09-611075
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_minimum_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Collect users with not correct maximum time period between password changes
ansible.builtin.command:
cmd: awk -F':' '(/^[^:]+:[^!*]/ && ($5 > {{ var_accounts_maximum_age_login_defs }} || $5 == "")) {print $1}' /etc/shadow
register: user_names
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_411015 | bool
- accounts_password_set_max_life_existing | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86031-2
- DISA-STIG-RHEL-09-411015
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_password_set_max_life_existing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Change the maximum time period between password changes
ansible.builtin.user:
user: '{{ item }}'
password_expire_max: '{{ var_accounts_maximum_age_login_defs }}'
with_items: '{{ user_names.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_411015 | bool
- accounts_password_set_max_life_existing | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- user_names.stdout_lines | length > 0
tags:
- CCE-86031-2
- DISA-STIG-RHEL-09-411015
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_password_set_max_life_existing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Collect users with not correct minimum time period between password changes
ansible.builtin.command: 'awk -F'':'' ''(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == ""))
{print $1}'' /etc/shadow
'
register: user_names
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_611080 | bool
- accounts_password_set_min_life_existing | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-89069-9
- DISA-STIG-RHEL-09-611080
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_password_set_min_life_existing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Change the minimum time period between password changes
ansible.builtin.command: 'chage -m {{ var_accounts_minimum_age_login_defs }} {{ item }}
'
with_items: '{{ user_names.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_611080 | bool
- accounts_password_set_min_life_existing | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- user_names.stdout_lines | length > 0
tags:
- CCE-89069-9
- DISA-STIG-RHEL-09-611080
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- accounts_password_set_min_life_existing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Existing Passwords Warning Age - Collect Users With Incorrect Number of Days of Warning Before Password Expires
ansible.builtin.command:
cmd: awk -F':' '(($6 < {{ var_accounts_password_warn_age_login_defs }} || $6 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow
register: result_pass_warn_age_user_names
changed_when: false
when:
- accounts_password_set_warn_age_existing | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86915-6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_password_set_warn_age_existing
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Existing Passwords Warning Age - Ensure the Number of Days of Warning Before Password Expires
ansible.builtin.command:
cmd: chage --warndays {{ var_accounts_password_warn_age_login_defs }} {{ item }}
with_items: '{{ result_pass_warn_age_user_names.stdout_lines }}'
when:
- accounts_password_set_warn_age_existing | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_pass_warn_age_user_names is not skipped and result_pass_warn_age_user_names.stdout_lines | length > 0
tags:
- CCE-86915-6
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_password_set_warn_age_existing
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set Password Warning Age
ansible.builtin.lineinfile:
dest: /etc/login.defs
regexp: ^PASS_WARN_AGE *[0-9]*
state: present
line: PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}
create: true
when:
- accounts_password_warn_age_login_defs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-83609-8
- NIST-800-171-3.5.8
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(d)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.4
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.9
- accounts_password_warn_age_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Collect users with not correct INACTIVE parameter set
ansible.builtin.command:
cmd: awk -F':' '(($7 > {{ var_account_disable_post_pw_expiration }} || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow
register: user_names
changed_when: false
when:
- accounts_set_post_pw_existing | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86759-8
- NIST-800-171-3.5.6
- NIST-800-53-AC-2(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-4(e)
- PCI-DSS-Req-8.1.4
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.6
- accounts_set_post_pw_existing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Change the period of inactivity
ansible.builtin.command:
cmd: chage --inactive {{ var_account_disable_post_pw_expiration }} {{ item }}
with_items: '{{ user_names.stdout_lines }}'
when:
- accounts_set_post_pw_existing | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- user_names is not skipped and user_names.stdout_lines | length > 0
tags:
- CCE-86759-8
- NIST-800-171-3.5.6
- NIST-800-53-AC-2(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-4(e)
- PCI-DSS-Req-8.1.4
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.6
- accounts_set_post_pw_existing
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Prevent Login to Accounts With Empty Password - Check if system relies on authselect
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- DISA_STIG_RHEL_09_611025 | bool
- configure_strategy | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_empty_passwords | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83611-4
- CJIS-5.5.2
- DISA-STIG-RHEL-09-611025
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Prevent Login to Accounts With Empty Password - Remediate using authselect
block:
- name: Prevent Login to Accounts With Empty Password - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Prevent Login to Accounts With Empty Password - Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was not selected or the selected profile is not
intact.
- It is not recommended to manually edit the PAM files when authselect tool is available.
- In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Prevent Login to Accounts With Empty Password - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok" feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature without-nullok
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("without-nullok")
- name: Prevent Login to Accounts With Empty Password - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- DISA_STIG_RHEL_09_611025 | bool
- configure_strategy | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_empty_passwords | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-83611-4
- CJIS-5.5.2
- DISA-STIG-RHEL-09-611025
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Prevent Login to Accounts With Empty Password - Remediate directly editing PAM files
ansible.builtin.replace:
dest: '{{ item }}'
regexp: nullok
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- DISA_STIG_RHEL_09_611025 | bool
- configure_strategy | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_empty_passwords | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CCE-83611-4
- CJIS-5.5.2
- DISA-STIG-RHEL-09-611025
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Collect users with no password
ansible.builtin.command: 'awk -F: ''!$2 {print $1}'' /etc/shadow
'
register: users_nopasswd
changed_when: false
when:
- DISA_STIG_RHEL_09_611155 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_empty_passwords_etc_shadow | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-85972-8
- DISA-STIG-RHEL-09-611155
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.2
- high_severity
- low_complexity
- low_disruption
- no_empty_passwords_etc_shadow
- no_reboot_needed
- restrict_strategy
- name: Lock users with no password
ansible.builtin.command: 'passwd -l {{ item }}
'
with_items: '{{ users_nopasswd.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_611155 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_empty_passwords_etc_shadow | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- users_nopasswd is not skipped and users_nopasswd.stdout_lines | length > 0
tags:
- CCE-85972-8
- DISA-STIG-RHEL-09-611155
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.2
- high_severity
- low_complexity
- low_disruption
- no_empty_passwords_etc_shadow
- no_reboot_needed
- restrict_strategy
- name: Get all /etc/passwd file entries
ansible.builtin.getent:
database: passwd
split: ':'
when:
- DISA_STIG_RHEL_09_411100 | bool
- accounts_no_uid_except_zero | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83624-7
- DISA-STIG-RHEL-09-411100
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6(5)
- NIST-800-53-IA-2
- NIST-800-53-IA-4(b)
- PCI-DSS-Req-8.5
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.1
- accounts_no_uid_except_zero
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Lock the password of the user accounts other than root with uid 0
ansible.builtin.command: passwd -l {{ item.key }}
loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'') | list }}'
when:
- DISA_STIG_RHEL_09_411100 | bool
- accounts_no_uid_except_zero | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.value.1 == '0'
tags:
- CCE-83624-7
- DISA-STIG-RHEL-09-411100
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6(5)
- NIST-800-53-IA-2
- NIST-800-53-IA-4(b)
- PCI-DSS-Req-8.5
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.1
- accounts_no_uid_except_zero
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty - Ensure {{ var_pam_wheel_group_for_su
}} Group Exists
ansible.builtin.group:
name: '{{ var_pam_wheel_group_for_su }}'
state: present
when:
- ensure_pam_wheel_group_empty | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86072-6
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- ensure_pam_wheel_group_empty
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty - Ensure {{ var_pam_wheel_group_for_su
}} Group is Empty
ansible.builtin.lineinfile:
path: /etc/group
regexp: ^({{ var_pam_wheel_group_for_su }}:[^:]+:[0-9]+:).*$
line: \1
backrefs: true
when:
- ensure_pam_wheel_group_empty | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86072-6
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- ensure_pam_wheel_group_empty
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
when:
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_password_auth_for_systemaccounts | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86113-8
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_password_auth_for_systemaccounts
- no_reboot_needed
- restrict_strategy
- name: Ensure that System Accounts Are Locked - Create local_users Variable From getent_passwd Facts
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
when:
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_password_auth_for_systemaccounts | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86113-8
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_password_auth_for_systemaccounts
- no_reboot_needed
- restrict_strategy
- name: Ensure that System Accounts Are Locked - Lock System Accounts
ansible.builtin.user:
name: '{{ item.key }}'
password_lock: true
loop: '{{ local_users }}'
when:
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_password_auth_for_systemaccounts | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.value[1]|int < 1000
- item.key not in ['root', 'halt', 'sync', 'shutdown', 'nfsnobody']
tags:
- CCE-86113-8
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_password_auth_for_systemaccounts
- no_reboot_needed
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Get All Local Users From /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
when:
- DISA_STIG_RHEL_09_411035 | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- no_shelllogin_for_systemaccounts | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83623-9
- DISA-STIG-RHEL-09-411035
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Create local_users Variable From getent_passwd Facts
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd | dict2items }}'
when:
- DISA_STIG_RHEL_09_411035 | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- no_shelllogin_for_systemaccounts | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83623-9
- DISA-STIG-RHEL-09-411035
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Ensure that System Accounts Do Not Run a Shell Upon Login - Disable Login Shell for System Accounts
ansible.builtin.user:
name: '{{ item.key }}'
shell: /sbin/nologin
loop: '{{ local_users }}'
when:
- DISA_STIG_RHEL_09_411035 | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- no_shelllogin_for_systemaccounts | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.key not in ['root']
- item.value[1]|int < 1000
- item.value[5] not in ['/sbin/shutdown', '/sbin/halt', '/bin/sync']
tags:
- CCE-83623-9
- DISA-STIG-RHEL-09-411035
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.2
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- no_shelllogin_for_systemaccounts
- restrict_strategy
- name: Enforce Usage of pam_wheel with Group Parameter for su Authentication - Add the group to the /etc/pam.d/su file
ansible.builtin.lineinfile:
path: /etc/pam.d/su
state: present
regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$
line: auth required pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su }}
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- use_pam_wheel_group_for_su | bool
- '"pam" in ansible_facts.packages'
tags:
- CCE-86065-0
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- use_pam_wheel_group_for_su
- name: Correct any occurrence of TMOUT in /etc/profile
ansible.builtin.replace:
path: /etc/profile
regexp: ^[^#].*TMOUT=.*
replace: typeset -xr TMOUT={{ var_accounts_tmout }}
register: profile_replaced
when:
- DISA_STIG_RHEL_09_412035 | bool
- accounts_tmout | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83633-8
- DISA-STIG-RHEL-09-412035
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- accounts_tmout
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interactive Session Timeout
ansible.builtin.lineinfile:
path: /etc/profile.d/tmout.sh
create: true
regexp: TMOUT=
line: typeset -xr TMOUT={{ var_accounts_tmout }}
state: present
when:
- DISA_STIG_RHEL_09_412035 | bool
- accounts_tmout | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83633-8
- DISA-STIG-RHEL-09-412035
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- accounts_tmout
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Get interactive users from passwd file
ansible.builtin.getent:
database: passwd
register: passwd_entries
when:
- accounts_user_dot_group_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87037-8
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Create list of interactive users with GID and
home directory
ansible.builtin.set_fact:
interactive_users: '{{ interactive_users | default([]) + [{''home'': item.value[4], ''gid'': item.value[2]}] }}'
loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}'
when:
- accounts_user_dot_group_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.value[2] | int >= 1000 | int
- item.value[2] | int != 65534 | int
- item.value[4] != ""
tags:
- CCE-87037-8
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Find dot files in interactive user home directories
ansible.builtin.find:
paths: '{{ item.home }}'
patterns: .*
file_type: file
hidden: true
depth: 1
follow: false
register: user_dotfiles
loop: '{{ interactive_users | default([]) }}'
failed_when: false
when:
- accounts_user_dot_group_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.home != ""
tags:
- CCE-87037-8
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Group-Owned By The Primary Group - Set correct group ownership for user initialization
files
ansible.builtin.file:
path: '{{ item.1.path }}'
group: '{{ item.0.item.gid }}'
follow: false
loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}'
when:
- accounts_user_dot_group_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.0 is not skipped
- item.1.path is defined
tags:
- CCE-87037-8
- accounts_user_dot_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Not Run World-Writable Programs - Initialize variables
ansible.builtin.set_fact:
home_user_dirs: []
world_writable_files: []
when:
- DISA_STIG_RHEL_09_411115 | bool
- accounts_user_dot_no_world_writable_programs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87451-1
- DISA-STIG-RHEL-09-411115
- accounts_user_dot_no_world_writable_programs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Not Run World-Writable Programs - Get user's home dir list
ansible.builtin.getent:
database: passwd
register: passwd_database
when:
- DISA_STIG_RHEL_09_411115 | bool
- accounts_user_dot_no_world_writable_programs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87451-1
- DISA-STIG-RHEL-09-411115
- accounts_user_dot_no_world_writable_programs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Not Run World-Writable Programs - Fill home_user_dirs
ansible.builtin.set_fact:
home_user_dirs: '{{ home_user_dirs + [item.data[4]] }}'
when:
- DISA_STIG_RHEL_09_411115 | bool
- accounts_user_dot_no_world_writable_programs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.data[4] is defined and item.data[2]|int >= 1000 and item.data[2]|int != 65534
with_items: '{{ passwd_database.ansible_facts.getent_passwd | dict2items(key_name=''user'', value_name=''data'')}}'
tags:
- CCE-87451-1
- DISA-STIG-RHEL-09-411115
- accounts_user_dot_no_world_writable_programs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Not Run World-Writable Programs - Get world writable files
ansible.builtin.shell: 'find / -xdev -type f -perm -0002 2> /dev/null
'
register: world_writable_files
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_411115 | bool
- accounts_user_dot_no_world_writable_programs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87451-1
- DISA-STIG-RHEL-09-411115
- accounts_user_dot_no_world_writable_programs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Not Run World-Writable Programs - Find referenced_files in init files
ansible.builtin.find:
paths: '{{ home_user_dirs }}'
contains: '{{ item }}'
hidden: true
read_whole_file: true
recurse: true
with_items: '{{ world_writable_files.stdout_lines }}'
register: referenced_files
when:
- DISA_STIG_RHEL_09_411115 | bool
- accounts_user_dot_no_world_writable_programs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87451-1
- DISA-STIG-RHEL-09-411115
- accounts_user_dot_no_world_writable_programs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Not Run World-Writable Programs - Remove world writable permissions
ansible.builtin.file:
path: '{{ item.item }}'
mode: o-w
when:
- DISA_STIG_RHEL_09_411115 | bool
- accounts_user_dot_no_world_writable_programs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.matched > 0
with_items: '{{ referenced_files.results }}'
tags:
- CCE-87451-1
- DISA-STIG-RHEL-09-411115
- accounts_user_dot_no_world_writable_programs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Get interactive users from passwd file
ansible.builtin.getent:
database: passwd
register: passwd_entries
when:
- accounts_user_dot_user_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87038-6
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Create list of interactive users with UID and home directory
ansible.builtin.set_fact:
interactive_users: '{{ interactive_users | default([]) + [{''uid'': item.value[1], ''home'': item.value[4], ''username'':
item.key}] }}'
loop: '{{ passwd_entries.ansible_facts.getent_passwd | dict2items }}'
when:
- accounts_user_dot_user_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.value[1] | int >= 1000 | int
- item.value[1] | int != 65534 | int
- item.value[4] != ""
tags:
- CCE-87038-6
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Find dot files in interactive user home directories
ansible.builtin.find:
paths: '{{ item.home }}'
patterns: .*
file_type: file
hidden: true
depth: 1
follow: false
register: user_dotfiles
loop: '{{ interactive_users | default([]) }}'
failed_when: false
when:
- accounts_user_dot_user_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.home != ""
tags:
- CCE-87038-6
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: User Initialization Files Must Be Owned By the Primary User - Set correct ownership for user initialization files
ansible.builtin.file:
path: '{{ item.1.path }}'
owner: '{{ item.0.item.username }}'
follow: false
loop: '{{ user_dotfiles.results | subelements(''files'', skip_missing=True) }}'
when:
- accounts_user_dot_user_ownership | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.0 is not skipped
- item.0 is not failed
- item.0.item is defined
- item.0.item.username is defined
- item.1.path is defined
tags:
- CCE-87038-6
- accounts_user_dot_user_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
when:
- DISA_STIG_RHEL_09_411065 | bool
- accounts_user_interactive_home_directory_exists | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83639-5
- DISA-STIG-RHEL-09-411065
- accounts_user_interactive_home_directory_exists
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Create local_users variable from the getent output
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
when:
- DISA_STIG_RHEL_09_411065 | bool
- accounts_user_interactive_home_directory_exists | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83639-5
- DISA-STIG-RHEL-09-411065
- accounts_user_interactive_home_directory_exists
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure interactive users have a home directory exists
ansible.builtin.user:
name: '{{ item.key }}'
create_home: true
loop: '{{ local_users }}'
when:
- DISA_STIG_RHEL_09_411065 | bool
- accounts_user_interactive_home_directory_exists | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- item.value[1]|int >= 1000
- item.value[1]|int != 65534
tags:
- CCE-83639-5
- DISA-STIG-RHEL-09-411065
- accounts_user_interactive_home_directory_exists
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Gather User Info
ansible.builtin.getent:
database: passwd
tags:
- CCE-83637-9
- file_permission_user_init_files
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- file_permission_user_init_files | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Find Init Files
ansible.builtin.find:
paths: '{{ item.value[4] }}'
pattern: '{{ var_user_initialization_files_regex }}'
hidden: true
use_regex: true
with_dict: '{{ ansible_facts.getent_passwd }}'
when:
- file_permission_user_init_files | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- item.value[4] != "/sbin/nologin"
- item.key not in ["nobody", "nfsnobody"]
- item.value[1] | int >= 1000
register: found_init_files
tags:
- CCE-83637-9
- file_permission_user_init_files
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive - Fix Init Files Permissions
ansible.builtin.file:
path: '{{ item.1.path }}'
mode: u-s,g-wxs,o=
loop: '{{ q(''ansible.builtin.subelements'', found_init_files.results, ''files'', {''skip_missing'': True}) }}'
tags:
- CCE-83637-9
- file_permission_user_init_files
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- file_permission_user_init_files | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- CCE-83634-6
- DISA-STIG-RHEL-09-232050
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232050 | bool
- file_permissions_home_directories | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Create local_users variable from the getent output
ansible.builtin.set_fact:
local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
tags:
- CCE-83634-6
- DISA-STIG-RHEL-09-232050
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232050 | bool
- file_permissions_home_directories | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Test for existence home directories to avoid creating them.
ansible.builtin.stat:
path: '{{ item.value[4] }}'
register: path_exists
loop: '{{ local_users }}'
when:
- DISA_STIG_RHEL_09_232050 | bool
- file_permissions_home_directories | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- item.value[1]|int >= 1000
- item.value[1]|int != 65534
- item.value[4] != "/"
tags:
- CCE-83634-6
- DISA-STIG-RHEL-09-232050
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure interactive local users have proper permissions on their respective home directories
ansible.builtin.file:
path: '{{ item.0.value[4] }}'
mode: u-s,g-w-s,o=-
follow: false
recurse: false
loop: '{{ local_users|zip(path_exists.results)|list }}'
when:
- DISA_STIG_RHEL_09_232050 | bool
- file_permissions_home_directories | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- item.1.stat is defined and item.1.stat.exists
tags:
- CCE-83634-6
- DISA-STIG-RHEL-09-232050
- file_permissions_home_directories
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Get root paths which are not symbolic links
ansible.builtin.stat:
path: '{{ item }}'
changed_when: false
failed_when: false
register: root_paths
with_items: '{{ ansible_env.PATH.split('':'') }}'
tags:
- CCE-83643-7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- accounts_root_path_dirs_no_write
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- accounts_root_path_dirs_no_write | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Disable writability to root directories
ansible.builtin.file:
path: '{{ item.item }}'
mode: g-w,o-w
with_items: '{{ root_paths.results }}'
when:
- accounts_root_path_dirs_no_write | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- root_paths.results is defined
- item.stat.exists
- not item.stat.islnk
tags:
- CCE-83643-7
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- accounts_root_path_dirs_no_write
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if umask in /etc/bashrc is already set
ansible.builtin.lineinfile:
path: /etc/bashrc
regexp: ^[^#]*\bumask\s+\d+$
state: absent
check_mode: true
changed_when: false
register: umask_replace
when:
- DISA_STIG_RHEL_09_412055 | bool
- accounts_umask_etc_bashrc | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"bash" in ansible_facts.packages'
tags:
- CCE-83644-5
- DISA-STIG-RHEL-09-412055
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_bashrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Replace user umask in /etc/bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: ^([^#]*\b)umask\s+\d+$
replace: \g<1>umask {{ var_accounts_user_umask }}
when:
- DISA_STIG_RHEL_09_412055 | bool
- accounts_umask_etc_bashrc | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"bash" in ansible_facts.packages'
- umask_replace.found > 0
tags:
- CCE-83644-5
- DISA-STIG-RHEL-09-412055
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_bashrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default umask is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/bashrc
line: umask {{ var_accounts_user_umask }}
when:
- DISA_STIG_RHEL_09_412055 | bool
- accounts_umask_etc_bashrc | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"bash" in ansible_facts.packages'
- umask_replace.found == 0
tags:
- CCE-83644-5
- DISA-STIG-RHEL-09-412055
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_bashrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if UMASK is already set
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: ^(\s*)UMASK\s+.*
state: absent
check_mode: true
changed_when: false
register: result_umask_is_set
when:
- DISA_STIG_RHEL_09_412065 | bool
- accounts_umask_etc_login_defs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
tags:
- CCE-83647-8
- DISA-STIG-RHEL-09-412065
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Replace user UMASK in /etc/login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: ^(\s*)UMASK(\s+).*
replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
when:
- DISA_STIG_RHEL_09_412065 | bool
- accounts_umask_etc_login_defs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
- result_umask_is_set.found > 0
tags:
- CCE-83647-8
- DISA-STIG-RHEL-09-412065
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default UMASK is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/login.defs
line: UMASK {{ var_accounts_user_umask }}
when:
- DISA_STIG_RHEL_09_412065 | bool
- accounts_umask_etc_login_defs | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"shadow-utils" in ansible_facts.packages'
- result_umask_is_set.found == 0
tags:
- CCE-83647-8
- DISA-STIG-RHEL-09-412065
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_login_defs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Locate Profile Configuration Files Where umask Is Defined
ansible.builtin.find:
paths:
- /etc/profile.d
patterns:
- sh.local
- '*.sh'
contains: ^[\s]*umask\s+\d+
register: result_profile_d_files
when:
- DISA_STIG_RHEL_09_412070 | bool
- accounts_umask_etc_profile | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90828-5
- DISA-STIG-RHEL-09-412070
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Replace Existing umask Value in Files From /etc/profile.d
ansible.builtin.replace:
path: '{{ item.path }}'
regexp: ^(\s*)umask\s+\d+
replace: \1umask {{ var_accounts_user_umask }}
loop: '{{ result_profile_d_files.files }}'
register: result_umask_replaced_profile_d
when:
- DISA_STIG_RHEL_09_412070 | bool
- accounts_umask_etc_profile | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- result_profile_d_files.matched
tags:
- CCE-90828-5
- DISA-STIG-RHEL-09-412070
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Is Set in /etc/profile if Not Already Set
Elsewhere
ansible.builtin.lineinfile:
create: true
mode: 420
path: /etc/profile
line: umask {{ var_accounts_user_umask }}
when:
- DISA_STIG_RHEL_09_412070 | bool
- accounts_umask_etc_profile | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- not result_profile_d_files.matched
tags:
- CCE-90828-5
- DISA-STIG-RHEL-09-412070
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Value For All Existing umask Definition in
/etc/profile
ansible.builtin.replace:
path: /etc/profile
regexp: ^(\s*)umask\s+\d+
replace: \1umask {{ var_accounts_user_umask }}
register: result_umask_replaced_profile
when:
- DISA_STIG_RHEL_09_412070 | bool
- accounts_umask_etc_profile | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90828-5
- DISA-STIG-RHEL-09-412070
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set the file_groupowner_grub2_cfg_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_grub2_cfg_newgroup: '0'
when:
- DISA_STIG_RHEL_09_212025 | bool
- configure_strategy | bool
- file_groupowner_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-83848-2
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-212025
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub2/grub.cfg
ansible.builtin.stat:
path: /boot/grub2/grub.cfg
register: file_exists
when:
- DISA_STIG_RHEL_09_212025 | bool
- configure_strategy | bool
- file_groupowner_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-83848-2
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-212025
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /boot/grub2/grub.cfg
ansible.builtin.file:
path: /boot/grub2/grub.cfg
follow: false
group: '{{ file_groupowner_grub2_cfg_newgroup }}'
when:
- DISA_STIG_RHEL_09_212025 | bool
- configure_strategy | bool
- file_groupowner_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83848-2
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-212025
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_user_cfg_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_user_cfg_newgroup: '0'
when:
- configure_strategy | bool
- file_groupowner_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-86010-6
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub2/user.cfg
ansible.builtin.stat:
path: /boot/grub2/user.cfg
register: file_exists
when:
- configure_strategy | bool
- file_groupowner_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-86010-6
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /boot/grub2/user.cfg
ansible.builtin.file:
path: /boot/grub2/user.cfg
follow: false
group: '{{ file_groupowner_user_cfg_newgroup }}'
when:
- configure_strategy | bool
- file_groupowner_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86010-6
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_grub2_cfg_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_grub2_cfg_newown: '0'
when:
- DISA_STIG_RHEL_09_212030 | bool
- configure_strategy | bool
- file_owner_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-83845-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-212030
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub2/grub.cfg
ansible.builtin.stat:
path: /boot/grub2/grub.cfg
register: file_exists
when:
- DISA_STIG_RHEL_09_212030 | bool
- configure_strategy | bool
- file_owner_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-83845-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-212030
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /boot/grub2/grub.cfg
ansible.builtin.file:
path: /boot/grub2/grub.cfg
follow: false
owner: '{{ file_owner_grub2_cfg_newown }}'
when:
- DISA_STIG_RHEL_09_212030 | bool
- configure_strategy | bool
- file_owner_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83845-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-212030
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_user_cfg_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_user_cfg_newown: '0'
when:
- configure_strategy | bool
- file_owner_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-86016-3
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub2/user.cfg
ansible.builtin.stat:
path: /boot/grub2/user.cfg
register: file_exists
when:
- configure_strategy | bool
- file_owner_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-86016-3
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /boot/grub2/user.cfg
ansible.builtin.file:
path: /boot/grub2/user.cfg
follow: false
owner: '{{ file_owner_user_cfg_newown }}'
when:
- configure_strategy | bool
- file_owner_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86016-3
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub2/grub.cfg
ansible.builtin.stat:
path: /boot/grub2/grub.cfg
register: file_exists
when:
- configure_strategy | bool
- file_permissions_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-83846-6
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/grub.cfg
ansible.builtin.file:
path: /boot/grub2/grub.cfg
mode: u-xs,g-xwrs,o-xwrt
when:
- configure_strategy | bool
- file_permissions_grub2_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83846-6
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/grub2/user.cfg
ansible.builtin.stat:
path: /boot/grub2/user.cfg
register: file_exists
when:
- configure_strategy | bool
- file_permissions_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
tags:
- CCE-86025-4
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xwrs,o-xwrt on /boot/grub2/user.cfg
ansible.builtin.file:
path: /boot/grub2/user.cfg
mode: u-xs,g-xwrs,o-xwrt
when:
- configure_strategy | bool
- file_permissions_user_cfg | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages )
- not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86025-4
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_user_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure Log Files Are Owned By Appropriate Group - Set rsyslog logfile configuration facts
ansible.builtin.set_fact:
rsyslog_etc_config: /etc/rsyslog.conf
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Get IncludeConfig directive
ansible.builtin.shell: 'set -o pipefail
grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true
'
register: rsyslog_old_inc
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Get include files directives
ansible.builtin.shell: 'set -o pipefail
awk ''/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}''
{{ rsyslog_etc_config }} || true
'
register: rsyslog_new_inc
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Aggregate rsyslog includes
ansible.builtin.set_fact:
include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - List all config files
ansible.builtin.find:
paths: '{{ item | dirname }}'
patterns: '{{ item | basename }}'
hidden: false
follow: true
loop: '{{ include_config_output | list + [rsyslog_etc_config] }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- include_config_output is defined
register: rsyslog_config_files
failed_when: false
changed_when: false
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old format
ansible.builtin.shell: 'set -o pipefail
grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \
awk ''{print $NF}'' | \
sed -e ''s/^-//'' || true
'
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}'
register: log_files_old
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_config_files is not skipped
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new format
ansible.builtin.shell: 'set -o pipefail
grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\""|| true
'
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}'
register: log_files_new
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_config_files is not skipped
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found
ansible.builtin.set_fact:
log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results
| map(attribute=''stdout_lines'') | list | flatten | unique }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
group: root
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_groupownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83834-2
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_groupownership
- name: Ensure Log Files Are Owned By Appropriate User - Set rsyslog logfile configuration facts
ansible.builtin.set_fact:
rsyslog_etc_config: /etc/rsyslog.conf
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Get IncludeConfig directive
ansible.builtin.shell: 'set -o pipefail
grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true
'
register: rsyslog_old_inc
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Get include files directives
ansible.builtin.shell: 'set -o pipefail
awk ''/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}''
{{ rsyslog_etc_config }} || true
'
register: rsyslog_new_inc
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Aggregate rsyslog includes
ansible.builtin.set_fact:
include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - List all config files
ansible.builtin.find:
paths: '{{ item | dirname }}'
patterns: '{{ item | basename }}'
hidden: false
follow: true
loop: '{{ include_config_output | list + [rsyslog_etc_config] }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- include_config_output is defined
register: rsyslog_config_files
failed_when: false
changed_when: false
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format
ansible.builtin.shell: 'set -o pipefail
grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \
awk ''{print $NF}'' | \
sed -e ''s/^-//'' || true
'
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}'
register: log_files_old
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_config_files is not skipped
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format
ansible.builtin.shell: 'set -o pipefail
grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\""|| true
'
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}'
register: log_files_new
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_config_files is not skipped
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found
ansible.builtin.set_fact:
log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results
| map(attribute=''stdout_lines'') | list | flatten | unique }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
owner: root
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_ownership | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83946-4
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_ownership
- name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration facts
ansible.builtin.set_fact:
rsyslog_etc_config: /etc/rsyslog.conf
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive
ansible.builtin.shell: 'set -o pipefail
grep -e ''$IncludeConfig'' {{ rsyslog_etc_config }} | cut -d '' '' -f 2 || true
'
register: rsyslog_old_inc
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Get include files directives
ansible.builtin.shell: 'set -o pipefail
awk ''/)/{f=0} /include\(/{f=1} f{ nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){ print nf }}''
{{ rsyslog_etc_config }} || true
'
register: rsyslog_new_inc
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes
ansible.builtin.set_fact:
include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_old_inc is not skipped and rsyslog_new_inc is not skipped
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - List all config files
ansible.builtin.find:
paths: '{{ item | dirname }}'
patterns: '{{ item | basename }}'
hidden: false
follow: true
loop: '{{ include_config_output | list + [rsyslog_etc_config] }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- include_config_output is defined
register: rsyslog_config_files
failed_when: false
changed_when: false
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Extract log files old format
ansible.builtin.shell: 'set -o pipefail
grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \
awk ''{print $NF}'' | \
sed -e ''s/^-//'' || true
'
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}'
register: log_files_old
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_config_files is not skipped
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Extract log files new format
ansible.builtin.shell: 'set -o pipefail
grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\""|| true
'
loop: '{{ rsyslog_config_files.results | default([]) | subelements(''files'') }}'
register: log_files_new
changed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
- rsyslog_config_files is not skipped
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions - Sum all log files found
ansible.builtin.set_fact:
log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results
| map(attribute=''stdout_lines'') | list | flatten | unique }}'
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure System Log Files Have Correct Permissions -Setup log files attribute
ansible.builtin.file:
path: '{{ item }}'
mode: '0640'
state: file
loop: '{{ log_files | list | flatten | unique }}'
failed_when: false
when:
- configure_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- rsyslog_files_permissions | bool
- '"kernel-core" in ansible_facts.packages'
- '"rsyslog" in ansible_facts.packages'
tags:
- CCE-83689-0
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- rsyslog_files_permissions
- name: Ensure journald is configured to compress large log files - Search for a section in files
ansible.builtin.find:
paths: '{{item.path}}'
patterns: '{{item.pattern}}'
contains: ^\s*\[Journal\]
read_whole_file: true
use_regex: true
register: systemd_dropin_files_with_section
loop:
- path: '{{ ''/etc/systemd/journald.conf'' | dirname }}'
pattern: '{{ ''/etc/systemd/journald.conf'' | basename | regex_escape }}'
- path: /etc/systemd/journald.conf.d
pattern: .*\.conf
when:
- journald_compress | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-85931-4
- journald_compress
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure journald is configured to compress large log files - Count number of files which contain the correct section
ansible.builtin.set_fact:
count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'')
| list | map(''int'') | sum}}'
when:
- journald_compress | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-85931-4
- journald_compress
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure journald is configured to compress large log files - Add missing configuration to correct section
community.general.ini_file:
path: '{{item}}'
section: Journal
option: Compress
value: 'yes'
state: present
no_extra_spaces: true
when:
- journald_compress | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int > 0
loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list
}}'
tags:
- CCE-85931-4
- journald_compress
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure journald is configured to compress large log files - Add configuration to new remediation file
community.general.ini_file:
path: /etc/systemd/journald.conf.d/complianceascode_hardening.conf
section: Journal
option: Compress
value: 'yes'
state: present
no_extra_spaces: true
create: true
when:
- journald_compress | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int == 0
tags:
- CCE-85931-4
- journald_compress
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure journald is configured to write log files to persistent disk - Search for a section in files
ansible.builtin.find:
paths: '{{item.path}}'
patterns: '{{item.pattern}}'
contains: ^\s*\[Journal\]
read_whole_file: true
use_regex: true
register: systemd_dropin_files_with_section
loop:
- path: '{{ ''/etc/systemd/journald.conf'' | dirname }}'
pattern: '{{ ''/etc/systemd/journald.conf'' | basename | regex_escape }}'
- path: /etc/systemd/journald.conf.d
pattern: .*\.conf
when:
- journald_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86046-0
- journald_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure journald is configured to write log files to persistent disk - Count number of files which contain the correct
section
ansible.builtin.set_fact:
count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'')
| list | map(''int'') | sum}}'
when:
- journald_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86046-0
- journald_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure journald is configured to write log files to persistent disk - Add missing configuration to correct section
community.general.ini_file:
path: '{{item}}'
section: Journal
option: Storage
value: persistent
state: present
no_extra_spaces: true
when:
- journald_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int > 0
loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list
}}'
tags:
- CCE-86046-0
- journald_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure journald is configured to write log files to persistent disk - Add configuration to new remediation file
community.general.ini_file:
path: /etc/systemd/journald.conf.d/complianceascode_hardening.conf
section: Journal
option: Storage
value: persistent
state: present
no_extra_spaces: true
create: true
when:
- journald_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int == 0
tags:
- CCE-86046-0
- journald_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable systemd-journal-remote Socket - Collect systemd Socket Units Present in the System
ansible.builtin.command:
cmd: systemctl -q list-unit-files --type socket
register: result_systemd_unit_files
changed_when: false
check_mode: false
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87606-0
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- socket_systemd-journal-remote_disabled
- name: Disable systemd-journal-remote Socket - Ensure systemd-journal-remote.socket is Masked
ansible.builtin.systemd:
name: systemd-journal-remote.socket
state: stopped
enabled: false
masked: true
when:
- disable_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- result_systemd_unit_files.stdout_lines is search("systemd-journal-remote.socket")
tags:
- CCE-87606-0
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- socket_systemd-journal-remote_disabled
- name: Configure Firewalld to Restrict Loopback Traffic - Remediation is Applicable if firewalld Service is Running
block:
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted Zone Restricts IPv4 Loopback Traffic
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination
not address="127.0.0.1" drop'
register: result_trusted_ipv4_restriction
changed_when:
- '''ALREADY_ENABLED'' not in result_trusted_ipv4_restriction.stderr'
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted Zone Restricts IPv6 Loopback Traffic
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not
address="::1" drop'
register: result_trusted_ipv6_restriction
changed_when:
- '''ALREADY_ENABLED'' not in result_trusted_ipv6_restriction.stderr'
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Changes are Applied
ansible.builtin.service:
name: firewalld
state: reloaded
when:
- result_trusted_ipv4_restriction is changed or result_trusted_ipv6_restriction is changed
when:
- configure_strategy | bool
- firewalld_loopback_traffic_restricted | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- ansible_facts.services['firewalld.service'].state == 'running'
tags:
- CCE-86137-7
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_restricted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Restrict Loopback Traffic - Informative Message Based on Service State
ansible.builtin.assert:
that:
- ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
fail_msg:
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service running.
- The service is not started by this remediation in order to prevent connection issues.
success_msg:
- Configure Firewalld to Restrict Loopback Traffic remediation successfully executed
when:
- configure_strategy | bool
- firewalld_loopback_traffic_restricted | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86137-7
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_restricted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Trust Loopback Traffic - Remediation is Applicable if firewalld Service is Running
block:
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld trusted Zone Includes lo Interface
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone=trusted --add-interface=lo
register: result_lo_interface_assignment
changed_when:
- '''ALREADY_ENABLED'' not in result_lo_interface_assignment.stderr'
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Changes are Applied
ansible.builtin.service:
name: firewalld
state: reloaded
when:
- result_lo_interface_assignment is changed
when:
- configure_strategy | bool
- firewalld_loopback_traffic_trusted | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- ansible_facts.services['firewalld.service'].state == 'running'
tags:
- CCE-86116-1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_trusted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Trust Loopback Traffic - Informative Message Based on Service State
ansible.builtin.assert:
that:
- ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
fail_msg:
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service running.
- The service is not started by this remediation in order to prevent connection issues.
success_msg:
- Configure Firewalld to Trust Loopback Traffic remediation successfully executed
when:
- configure_strategy | bool
- firewalld_loopback_traffic_trusted | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86116-1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_trusted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_254010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84120-5
- DISA-STIG-RHEL-09-254010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find all files that contain net.ipv6.conf.all.accept_ra
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84120-5
- DISA-STIG-RHEL-09-254010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_ra
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*{{
sysctl_net_ipv6_conf_all_accept_ra_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84120-5
- DISA-STIG-RHEL-09-254010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_ra
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra
replace: '#net.ipv6.conf.all.accept_ra'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_254010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84120-5
- DISA-STIG-RHEL-09-254010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_ra is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_ra
value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_254010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84120-5
- DISA-STIG-RHEL-09-254010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_254015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84125-4
- DISA-STIG-RHEL-09-254015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files that contain net.ipv6.conf.all.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84125-4
- DISA-STIG-RHEL-09-254015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*{{
sysctl_net_ipv6_conf_all_accept_redirects_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84125-4
- DISA-STIG-RHEL-09-254015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_redirects
replace: '#net.ipv6.conf.all.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_254015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84125-4
- DISA-STIG-RHEL-09-254015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_redirects
value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_254015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84125-4
- DISA-STIG-RHEL-09-254015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_254020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84131-2
- DISA-STIG-RHEL-09-254020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Find all files that contain
net.ipv6.conf.all.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84131-2
- DISA-STIG-RHEL-09-254020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Find all files that set net.ipv6.conf.all.accept_source_route
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*{{
sysctl_net_ipv6_conf_all_accept_source_route_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84131-2
- DISA-STIG-RHEL-09-254020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Comment out any occurrences
of net.ipv6.conf.all.accept_source_route from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_source_route
replace: '#net.ipv6.conf.all.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_254020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84131-2
- DISA-STIG-RHEL-09-254020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces - Ensure sysctl net.ipv6.conf.all.accept_source_route
is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_source_route
value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_254020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84131-2
- DISA-STIG-RHEL-09-254020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for IPv6 Forwarding - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_254025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84114-8
- DISA-STIG-RHEL-09-254025
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_forwarding
- name: Disable Kernel Parameter for IPv6 Forwarding - Find all files that contain net.ipv6.conf.all.forwarding
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.forwarding\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84114-8
- DISA-STIG-RHEL-09-254025
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_forwarding
- name: Disable Kernel Parameter for IPv6 Forwarding - Find all files that set net.ipv6.conf.all.forwarding to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.all.forwarding\s*=\s*{{
sysctl_net_ipv6_conf_all_forwarding_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84114-8
- DISA-STIG-RHEL-09-254025
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_forwarding
- name: Disable Kernel Parameter for IPv6 Forwarding - Comment out any occurrences of net.ipv6.conf.all.forwarding from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.forwarding
replace: '#net.ipv6.conf.all.forwarding'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_254025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84114-8
- DISA-STIG-RHEL-09-254025
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_forwarding
- name: Disable Kernel Parameter for IPv6 Forwarding - Ensure sysctl net.ipv6.conf.all.forwarding is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '{{ sysctl_net_ipv6_conf_all_forwarding_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_254025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_all_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84114-8
- DISA-STIG-RHEL-09-254025
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_forwarding
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_254030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84124-7
- DISA-STIG-RHEL-09-254030
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Find all files that contain net.ipv6.conf.default.accept_ra
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84124-7
- DISA-STIG-RHEL-09-254030
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Find all files that set net.ipv6.conf.default.accept_ra
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*{{
sysctl_net_ipv6_conf_default_accept_ra_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84124-7
- DISA-STIG-RHEL-09-254030
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Comment out any occurrences of net.ipv6.conf.default.accept_ra
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra
replace: '#net.ipv6.conf.default.accept_ra'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_254030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84124-7
- DISA-STIG-RHEL-09-254030
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default - Ensure sysctl net.ipv6.conf.default.accept_ra
is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_ra
value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_254030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_ra | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84124-7
- DISA-STIG-RHEL-09-254030
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_254035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84113-0
- DISA-STIG-RHEL-09-254035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Find all files that contain
net.ipv6.conf.default.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84113-0
- DISA-STIG-RHEL-09-254035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Find all files that set net.ipv6.conf.default.accept_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*{{
sysctl_net_ipv6_conf_default_accept_redirects_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84113-0
- DISA-STIG-RHEL-09-254035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Comment out any occurrences
of net.ipv6.conf.default.accept_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_redirects
replace: '#net.ipv6.conf.default.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_254035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84113-0
- DISA-STIG-RHEL-09-254035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces - Ensure sysctl net.ipv6.conf.default.accept_redirects
is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_redirects
value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_254035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84113-0
- DISA-STIG-RHEL-09-254035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_254040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84130-4
- DISA-STIG-RHEL-09-254040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Find all files that contain
net.ipv6.conf.default.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84130-4
- DISA-STIG-RHEL-09-254040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Find all files that set
net.ipv6.conf.default.accept_source_route to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*{{
sysctl_net_ipv6_conf_default_accept_source_route_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_254040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84130-4
- DISA-STIG-RHEL-09-254040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Comment out any occurrences
of net.ipv6.conf.default.accept_source_route from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_source_route
replace: '#net.ipv6.conf.default.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_254040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84130-4
- DISA-STIG-RHEL-09-254040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default - Ensure sysctl net.ipv6.conf.default.accept_source_route
is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_source_route
value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_254040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv6_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84130-4
- DISA-STIG-RHEL-09-254040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84011-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84011-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files that set net.ipv4.conf.all.accept_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*{{
sysctl_net_ipv4_conf_all_accept_redirects_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84011-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.accept_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_redirects
replace: '#net.ipv4.conf.all.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84011-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_redirects
value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253015 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84011-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253015
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84001-7
- DISA-STIG-RHEL-09-253020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Find all files that contain
net.ipv4.conf.all.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84001-7
- DISA-STIG-RHEL-09-253020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.accept_source_route
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*{{
sysctl_net_ipv4_conf_all_accept_source_route_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84001-7
- DISA-STIG-RHEL-09-253020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Comment out any occurrences
of net.ipv4.conf.all.accept_source_route from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_source_route
replace: '#net.ipv4.conf.all.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84001-7
- DISA-STIG-RHEL-09-253020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.accept_source_route
is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_source_route
value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253020 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84001-7
- DISA-STIG-RHEL-09-253020
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84000-9
- DISA-STIG-RHEL-09-253025
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.log_martians
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84000-9
- DISA-STIG-RHEL-09-253025
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.log_martians
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*{{
sysctl_net_ipv4_conf_all_log_martians_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84000-9
- DISA-STIG-RHEL-09-253025
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.log_martians
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.log_martians
replace: '#net.ipv4.conf.all.log_martians'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84000-9
- DISA-STIG-RHEL-09-253025
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.log_martians
is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.log_martians
value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253025 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84000-9
- DISA-STIG-RHEL-09-253025
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84008-2
- DISA-STIG-RHEL-09-253035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.rp_filter
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84008-2
- DISA-STIG-RHEL-09-253035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.rp_filter
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*{{
sysctl_net_ipv4_conf_all_rp_filter_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84008-2
- DISA-STIG-RHEL-09-253035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.rp_filter
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.rp_filter
replace: '#net.ipv4.conf.all.rp_filter'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84008-2
- DISA-STIG-RHEL-09-253035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.rp_filter
is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.rp_filter
value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253035 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84008-2
- DISA-STIG-RHEL-09-253035
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84016-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Find all files that contain
net.ipv4.conf.all.secure_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84016-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.secure_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*{{
sysctl_net_ipv4_conf_all_secure_redirects_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84016-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Comment out any occurrences
of net.ipv4.conf.all.secure_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.secure_redirects
replace: '#net.ipv4.conf.all.secure_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84016-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.secure_redirects
is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.secure_redirects
value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84016-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84003-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Find all files that contain
net.ipv4.conf.default.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84003-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Find all files that set net.ipv4.conf.default.accept_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*{{
sysctl_net_ipv4_conf_default_accept_redirects_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84003-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Comment out any occurrences
of net.ipv4.conf.default.accept_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_redirects
replace: '#net.ipv4.conf.default.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84003-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces - Ensure sysctl net.ipv4.conf.default.accept_redirects
is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_redirects
value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253040 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84003-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253040
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253045 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84007-4
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253045
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Find all files that contain
net.ipv4.conf.default.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253045 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84007-4
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253045
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Find all files that set
net.ipv4.conf.default.accept_source_route to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*{{
sysctl_net_ipv4_conf_default_accept_source_route_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253045 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84007-4
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253045
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Comment out any occurrences
of net.ipv4.conf.default.accept_source_route from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_source_route
replace: '#net.ipv4.conf.default.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253045 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84007-4
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253045
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.accept_source_route
is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_source_route
value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253045 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_accept_source_route | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84007-4
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253045
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84014-0
- DISA-STIG-RHEL-09-253030
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Find all files that contain net.ipv4.conf.default.log_martians
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84014-0
- DISA-STIG-RHEL-09-253030
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.log_martians
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*{{
sysctl_net_ipv4_conf_default_log_martians_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84014-0
- DISA-STIG-RHEL-09-253030
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Comment out any occurrences of
net.ipv4.conf.default.log_martians from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.log_martians
replace: '#net.ipv4.conf.default.log_martians'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84014-0
- DISA-STIG-RHEL-09-253030
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.log_martians
is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.log_martians
value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253030 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_log_martians | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84014-0
- DISA-STIG-RHEL-09-253030
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253050 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84009-0
- DISA-STIG-RHEL-09-253050
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Find all files that contain
net.ipv4.conf.default.rp_filter
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253050 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84009-0
- DISA-STIG-RHEL-09-253050
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Find all files that set
net.ipv4.conf.default.rp_filter to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*{{
sysctl_net_ipv4_conf_default_rp_filter_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253050 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84009-0
- DISA-STIG-RHEL-09-253050
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Comment out any occurrences
of net.ipv4.conf.default.rp_filter from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.rp_filter
replace: '#net.ipv4.conf.default.rp_filter'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253050 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84009-0
- DISA-STIG-RHEL-09-253050
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.rp_filter
is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.rp_filter
value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253050 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_rp_filter | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84009-0
- DISA-STIG-RHEL-09-253050
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84019-9
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find all files that contain net.ipv4.conf.default.secure_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84019-9
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find all files that set net.ipv4.conf.default.secure_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*{{
sysctl_net_ipv4_conf_default_secure_redirects_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84019-9
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Comment out any occurrences of net.ipv4.conf.default.secure_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.secure_redirects
replace: '#net.ipv4.conf.default.secure_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84019-9
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Ensure sysctl net.ipv4.conf.default.secure_redirects
is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.secure_redirects
value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_secure_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84019-9
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253055 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84004-1
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253055
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Find all files that contain net.ipv4.icmp_echo_ignore_broadcasts
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253055 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84004-1
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253055
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Find all files that set net.ipv4.icmp_echo_ignore_broadcasts
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*{{
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253055 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84004-1
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253055
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Comment out any occurrences of
net.ipv4.icmp_echo_ignore_broadcasts from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts
replace: '#net.ipv4.icmp_echo_ignore_broadcasts'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253055 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84004-1
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253055
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts
is set
ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253055 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84004-1
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253055
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253060 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84015-7
- DISA-STIG-RHEL-09-253060
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Find all files that contain net.ipv4.icmp_ignore_bogus_error_responses
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253060 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84015-7
- DISA-STIG-RHEL-09-253060
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Find all files that set net.ipv4.icmp_ignore_bogus_error_responses
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*{{
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253060 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84015-7
- DISA-STIG-RHEL-09-253060
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses
replace: '#net.ipv4.icmp_ignore_bogus_error_responses'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253060 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84015-7
- DISA-STIG-RHEL-09-253060
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces - Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses
is set
ansible.posix.sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253060 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- reboot_required | bool
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses | bool
- unknown_severity | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84015-7
- DISA-STIG-RHEL-09-253060
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_tcp_syncookies | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84006-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find all files that contain net.ipv4.tcp_syncookies
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.tcp_syncookies\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_tcp_syncookies | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84006-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find all files that set net.ipv4.tcp_syncookies
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.tcp_syncookies\s*=\s*{{
sysctl_net_ipv4_tcp_syncookies_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_tcp_syncookies | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84006-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Comment out any occurrences of net.ipv4.tcp_syncookies
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.tcp_syncookies
replace: '#net.ipv4.tcp_syncookies'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_tcp_syncookies | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-84006-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Ensure sysctl net.ipv4.tcp_syncookies is set
ansible.posix.sysctl:
name: net.ipv4.tcp_syncookies
value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_tcp_syncookies | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84006-6
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253010
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253065 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83997-7
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253065
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Find all files that contain net.ipv4.conf.all.send_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253065 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83997-7
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253065
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Find all files that set net.ipv4.conf.all.send_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253065 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83997-7
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253065
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Comment out any occurrences of net.ipv4.conf.all.send_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.send_redirects
replace: '#net.ipv4.conf.all.send_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253065 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-83997-7
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253065
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces - Ensure sysctl net.ipv4.conf.all.send_redirects
is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.all.send_redirects
value: '0'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253065 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_all_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83997-7
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253065
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_253070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83999-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253070
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Find all files that contain
net.ipv4.conf.default.send_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83999-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253070
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Find all files that set net.ipv4.conf.default.send_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_253070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83999-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253070
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Comment out any occurrences
of net.ipv4.conf.default.send_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.send_redirects
replace: '#net.ipv4.conf.default.send_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_253070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-83999-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253070
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default - Ensure sysctl net.ipv4.conf.default.send_redirects
is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.default.send_redirects
value: '0'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_253070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_conf_default_send_redirects | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83999-3
- CJIS-5.10.1.1
- DISA-STIG-RHEL-09-253070
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_ip_forward | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83998-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files that contain net.ipv4.ip_forward
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.ip_forward\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_ip_forward | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83998-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all files that set net.ipv4.ip_forward to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv4.ip_forward\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_ip_forward | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83998-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Comment out any occurrences of net.ipv4.ip_forward
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.ip_forward
replace: '#net.ipv4.ip_forward'
loop: '{{ find_all_values.stdout_lines }}'
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_ip_forward | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-83998-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Ensure sysctl net.ipv4.ip_forward is set to 0
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '0'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_net_ipv4_ip_forward | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83998-5
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Ensure kernel module 'dccp' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/dccp.conf
regexp: install\s+dccp
line: install dccp /bin/false
when:
- disable_strategy | bool
- kernel_module_dccp_disabled | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84136-1
- CJIS-5.10.1
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- kernel_module_dccp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'dccp' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/dccp.conf
regexp: ^blacklist dccp$
line: blacklist dccp
when:
- disable_strategy | bool
- kernel_module_dccp_disabled | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84136-1
- CJIS-5.10.1
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- kernel_module_dccp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'rds' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/rds.conf
regexp: install\s+rds
line: install rds /bin/false
when:
- disable_strategy | bool
- kernel_module_rds_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84064-5
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_rds_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'rds' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/rds.conf
regexp: ^blacklist rds$
line: blacklist rds
when:
- disable_strategy | bool
- kernel_module_rds_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84064-5
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_rds_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'sctp' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/sctp.conf
regexp: install\s+sctp
line: install sctp /bin/false
when:
- DISA_STIG_RHEL_09_213060 | bool
- disable_strategy | bool
- kernel_module_sctp_disabled | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84139-5
- CJIS-5.10.1
- DISA-STIG-RHEL-09-213060
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- kernel_module_sctp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'sctp' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/sctp.conf
regexp: ^blacklist sctp$
line: blacklist sctp
when:
- DISA_STIG_RHEL_09_213060 | bool
- disable_strategy | bool
- kernel_module_sctp_disabled | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84139-5
- CJIS-5.10.1
- DISA-STIG-RHEL-09-213060
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- kernel_module_sctp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'tipc' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/tipc.conf
regexp: install\s+tipc
line: install tipc /bin/false
when:
- DISA_STIG_RHEL_09_213065 | bool
- disable_strategy | bool
- kernel_module_tipc_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84065-2
- DISA-STIG-RHEL-09-213065
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_tipc_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'tipc' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/tipc.conf
regexp: ^blacklist tipc$
line: blacklist tipc
when:
- DISA_STIG_RHEL_09_213065 | bool
- disable_strategy | bool
- kernel_module_tipc_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84065-2
- DISA-STIG-RHEL-09-213065
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_tipc_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: NetworkManager Deactivate Wireless Network Interfaces
ansible.builtin.command: nmcli radio wifi off
when:
- DISA_STIG_RHEL_09_291040 | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- wireless_disable_interfaces | bool
- ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '''NetworkManager'' in ansible_facts.packages'
- ansible_facts.services['NetworkManager.service'].state == 'running'
tags:
- CCE-84066-0
- DISA-STIG-RHEL-09-291040
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(3)
- NIST-800-53-AC-18(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- PCI-DSS-Req-1.3.3
- PCI-DSSv4-1.3
- PCI-DSSv4-1.3.3
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- wireless_disable_interfaces
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded (Non-Local) File Systems and Paths
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- autofs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
excluded_paths:
- dev
- proc
- run
- sys
search_paths: []
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant Root Directories Ignoring Pre-Defined
Excluded Paths
ansible.builtin.find:
paths: /
file_type: directory
excludes: '{{ excluded_paths }}'
hidden: true
recurse: false
register: result_relevant_root_dirs
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Include Relevant Root Directories in a List of Paths
to be Searched
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.path]) }}'
loop: '{{ result_relevant_root_dirs.files }}'
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment Search Paths List with Local Partitions
Mount Points
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.mount]) }}'
loop: '{{ ansible_mounts }}'
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- item.fstype not in excluded_fstypes
- item.mount != '/'
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment Search Paths List with Local NFS File
System Targets
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
loop: '{{ ansible_mounts }}'
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- item.device is search("localhost:")
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Rule Specific Facts
ansible.builtin.set_fact:
world_writable_dirs: []
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All Uncompliant Directories in Local File Systems
ansible.builtin.command:
cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 )
loop: '{{ search_paths }}'
changed_when: false
register: result_found_dirs
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Create List of World Writable Directories Without
Sticky Bit
ansible.builtin.set_fact:
world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list }}'
loop: '{{ result_found_dirs.results }}'
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- result_found_dirs is not skipped and item is not skipped
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure Sticky Bit is Set on Local World Writable
Directories
ansible.builtin.file:
path: '{{ item }}'
mode: a+t
loop: '{{ world_writable_dirs }}'
tags:
- CCE-83895-3
- DISA-STIG-RHEL-09-232245
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- dir_perms_world_writable_sticky_bits
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- DISA_STIG_RHEL_09_232245 | bool
- dir_perms_world_writable_sticky_bits | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Verify Permissions and Ownership of Old Passwords File
ansible.builtin.file:
path: /etc/security/opasswd
owner: root
group: root
mode: 384
state: touch
modification_time: preserve
access_time: preserve
tags:
- CCE-86762-2
- file_etc_security_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
when:
- file_etc_security_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- name: Set the file_groupowner_backup_etc_group_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_backup_etc_group_newgroup: '0'
tags:
- CCE-83928-2
- DISA-STIG-RHEL-09-232105
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232105 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/group-
ansible.builtin.stat:
path: /etc/group-
register: file_exists
tags:
- CCE-83928-2
- DISA-STIG-RHEL-09-232105
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232105 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/group-
ansible.builtin.file:
path: /etc/group-
follow: false
group: '{{ file_groupowner_backup_etc_group_newgroup }}'
when:
- DISA_STIG_RHEL_09_232105 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83928-2
- DISA-STIG-RHEL-09-232105
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_backup_etc_gshadow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_backup_etc_gshadow_newgroup: '0'
tags:
- CCE-83951-4
- DISA-STIG-RHEL-09-232125
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- configure_strategy
- file_groupowner_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232125 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/gshadow-
ansible.builtin.stat:
path: /etc/gshadow-
register: file_exists
tags:
- CCE-83951-4
- DISA-STIG-RHEL-09-232125
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- configure_strategy
- file_groupowner_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232125 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/gshadow-
ansible.builtin.file:
path: /etc/gshadow-
follow: false
group: '{{ file_groupowner_backup_etc_gshadow_newgroup }}'
when:
- DISA_STIG_RHEL_09_232125 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83951-4
- DISA-STIG-RHEL-09-232125
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- configure_strategy
- file_groupowner_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_backup_etc_passwd_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_backup_etc_passwd_newgroup: '0'
tags:
- CCE-83933-2
- DISA-STIG-RHEL-09-232145
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232145 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/passwd-
ansible.builtin.stat:
path: /etc/passwd-
register: file_exists
tags:
- CCE-83933-2
- DISA-STIG-RHEL-09-232145
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232145 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/passwd-
ansible.builtin.file:
path: /etc/passwd-
follow: false
group: '{{ file_groupowner_backup_etc_passwd_newgroup }}'
when:
- DISA_STIG_RHEL_09_232145 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83933-2
- DISA-STIG-RHEL-09-232145
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_backup_etc_shadow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_backup_etc_shadow_newgroup: '0'
tags:
- CCE-83938-1
- DISA-STIG-RHEL-09-232165
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232165 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/shadow-
ansible.builtin.stat:
path: /etc/shadow-
register: file_exists
tags:
- CCE-83938-1
- DISA-STIG-RHEL-09-232165
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232165 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/shadow-
ansible.builtin.file:
path: /etc/shadow-
follow: false
group: '{{ file_groupowner_backup_etc_shadow_newgroup }}'
when:
- DISA_STIG_RHEL_09_232165 | bool
- configure_strategy | bool
- file_groupowner_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83938-1
- DISA-STIG-RHEL-09-232165
- PCI-DSS-Req-8.7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_group_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_group_newgroup: '0'
tags:
- CCE-83945-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232095
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232095 | bool
- configure_strategy | bool
- file_groupowner_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/group
ansible.builtin.stat:
path: /etc/group
register: file_exists
tags:
- CCE-83945-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232095
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232095 | bool
- configure_strategy | bool
- file_groupowner_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/group
ansible.builtin.file:
path: /etc/group
follow: false
group: '{{ file_groupowner_etc_group_newgroup }}'
when:
- DISA_STIG_RHEL_09_232095 | bool
- configure_strategy | bool
- file_groupowner_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83945-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232095
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_gshadow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_gshadow_newgroup: '0'
tags:
- CCE-83948-0
- DISA-STIG-RHEL-09-232115
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232115 | bool
- configure_strategy | bool
- file_groupowner_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/gshadow
ansible.builtin.stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-83948-0
- DISA-STIG-RHEL-09-232115
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232115 | bool
- configure_strategy | bool
- file_groupowner_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/gshadow
ansible.builtin.file:
path: /etc/gshadow
follow: false
group: '{{ file_groupowner_etc_gshadow_newgroup }}'
when:
- DISA_STIG_RHEL_09_232115 | bool
- configure_strategy | bool
- file_groupowner_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83948-0
- DISA-STIG-RHEL-09-232115
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_passwd_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_passwd_newgroup: '0'
tags:
- CCE-83950-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232135
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232135 | bool
- configure_strategy | bool
- file_groupowner_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/passwd
ansible.builtin.stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-83950-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232135
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232135 | bool
- configure_strategy | bool
- file_groupowner_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/passwd
ansible.builtin.file:
path: /etc/passwd
follow: false
group: '{{ file_groupowner_etc_passwd_newgroup }}'
when:
- DISA_STIG_RHEL_09_232135 | bool
- configure_strategy | bool
- file_groupowner_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83950-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232135
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_shadow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_shadow_newgroup: '0'
tags:
- CCE-83930-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232155
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232155 | bool
- configure_strategy | bool
- file_groupowner_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/shadow
ansible.builtin.stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-83930-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232155
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232155 | bool
- configure_strategy | bool
- file_groupowner_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/shadow
ansible.builtin.file:
path: /etc/shadow
follow: false
group: '{{ file_groupowner_etc_shadow_newgroup }}'
when:
- DISA_STIG_RHEL_09_232155 | bool
- configure_strategy | bool
- file_groupowner_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83930-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232155
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_etc_shells_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_etc_shells_newgroup: '0'
tags:
- CCE-90434-2
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_groupowner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/shells
ansible.builtin.stat:
path: /etc/shells
register: file_exists
tags:
- CCE-90434-2
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_groupowner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_groupowner_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure group owner on /etc/shells
ansible.builtin.file:
path: /etc/shells
follow: false
group: '{{ file_groupowner_etc_shells_newgroup }}'
when:
- configure_strategy | bool
- file_groupowner_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-90434-2
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_groupowner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_backup_etc_group_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_backup_etc_group_newown: '0'
tags:
- CCE-83944-9
- DISA-STIG-RHEL-09-232100
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232100 | bool
- configure_strategy | bool
- file_owner_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/group-
ansible.builtin.stat:
path: /etc/group-
register: file_exists
tags:
- CCE-83944-9
- DISA-STIG-RHEL-09-232100
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232100 | bool
- configure_strategy | bool
- file_owner_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/group-
ansible.builtin.file:
path: /etc/group-
follow: false
owner: '{{ file_owner_backup_etc_group_newown }}'
when:
- DISA_STIG_RHEL_09_232100 | bool
- configure_strategy | bool
- file_owner_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83944-9
- DISA-STIG-RHEL-09-232100
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_backup_etc_gshadow_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_backup_etc_gshadow_newown: '0'
tags:
- CCE-83929-0
- DISA-STIG-RHEL-09-232120
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- configure_strategy
- file_owner_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232120 | bool
- configure_strategy | bool
- file_owner_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/gshadow-
ansible.builtin.stat:
path: /etc/gshadow-
register: file_exists
tags:
- CCE-83929-0
- DISA-STIG-RHEL-09-232120
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- configure_strategy
- file_owner_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232120 | bool
- configure_strategy | bool
- file_owner_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/gshadow-
ansible.builtin.file:
path: /etc/gshadow-
follow: false
owner: '{{ file_owner_backup_etc_gshadow_newown }}'
when:
- DISA_STIG_RHEL_09_232120 | bool
- configure_strategy | bool
- file_owner_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83929-0
- DISA-STIG-RHEL-09-232120
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7
- configure_strategy
- file_owner_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_backup_etc_passwd_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_backup_etc_passwd_newown: '0'
tags:
- CCE-83947-2
- DISA-STIG-RHEL-09-232140
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232140 | bool
- configure_strategy | bool
- file_owner_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/passwd-
ansible.builtin.stat:
path: /etc/passwd-
register: file_exists
tags:
- CCE-83947-2
- DISA-STIG-RHEL-09-232140
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232140 | bool
- configure_strategy | bool
- file_owner_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/passwd-
ansible.builtin.file:
path: /etc/passwd-
follow: false
owner: '{{ file_owner_backup_etc_passwd_newown }}'
when:
- DISA_STIG_RHEL_09_232140 | bool
- configure_strategy | bool
- file_owner_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83947-2
- DISA-STIG-RHEL-09-232140
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_backup_etc_shadow_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_backup_etc_shadow_newown: '0'
tags:
- CCE-83949-8
- DISA-STIG-RHEL-09-232160
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232160 | bool
- configure_strategy | bool
- file_owner_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/shadow-
ansible.builtin.stat:
path: /etc/shadow-
register: file_exists
tags:
- CCE-83949-8
- DISA-STIG-RHEL-09-232160
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232160 | bool
- configure_strategy | bool
- file_owner_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/shadow-
ansible.builtin.file:
path: /etc/shadow-
follow: false
owner: '{{ file_owner_backup_etc_shadow_newown }}'
when:
- DISA_STIG_RHEL_09_232160 | bool
- configure_strategy | bool
- file_owner_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83949-8
- DISA-STIG-RHEL-09-232160
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_group_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_group_newown: '0'
tags:
- CCE-83925-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232090
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232090 | bool
- configure_strategy | bool
- file_owner_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/group
ansible.builtin.stat:
path: /etc/group
register: file_exists
tags:
- CCE-83925-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232090
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232090 | bool
- configure_strategy | bool
- file_owner_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/group
ansible.builtin.file:
path: /etc/group
follow: false
owner: '{{ file_owner_etc_group_newown }}'
when:
- DISA_STIG_RHEL_09_232090 | bool
- configure_strategy | bool
- file_owner_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83925-8
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232090
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_gshadow_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_gshadow_newown: '0'
tags:
- CCE-83924-1
- DISA-STIG-RHEL-09-232110
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232110 | bool
- configure_strategy | bool
- file_owner_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/gshadow
ansible.builtin.stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-83924-1
- DISA-STIG-RHEL-09-232110
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232110 | bool
- configure_strategy | bool
- file_owner_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/gshadow
ansible.builtin.file:
path: /etc/gshadow
follow: false
owner: '{{ file_owner_etc_gshadow_newown }}'
when:
- DISA_STIG_RHEL_09_232110 | bool
- configure_strategy | bool
- file_owner_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83924-1
- DISA-STIG-RHEL-09-232110
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_passwd_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_passwd_newown: '0'
tags:
- CCE-83943-1
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232130
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232130 | bool
- configure_strategy | bool
- file_owner_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/passwd
ansible.builtin.stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-83943-1
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232130
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232130 | bool
- configure_strategy | bool
- file_owner_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/passwd
ansible.builtin.file:
path: /etc/passwd
follow: false
owner: '{{ file_owner_etc_passwd_newown }}'
when:
- DISA_STIG_RHEL_09_232130 | bool
- configure_strategy | bool
- file_owner_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83943-1
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232130
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_shadow_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_shadow_newown: '0'
tags:
- CCE-83926-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232150
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232150 | bool
- configure_strategy | bool
- file_owner_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/shadow
ansible.builtin.stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-83926-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232150
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232150 | bool
- configure_strategy | bool
- file_owner_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/shadow
ansible.builtin.file:
path: /etc/shadow
follow: false
owner: '{{ file_owner_etc_shadow_newown }}'
when:
- DISA_STIG_RHEL_09_232150 | bool
- configure_strategy | bool
- file_owner_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83926-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232150
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_etc_shells_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_etc_shells_newown: '0'
tags:
- CCE-90435-9
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_owner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Test for existence /etc/shells
ansible.builtin.stat:
path: /etc/shells
register: file_exists
tags:
- CCE-90435-9
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_owner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_owner_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure owner on /etc/shells
ansible.builtin.file:
path: /etc/shells
follow: false
owner: '{{ file_owner_etc_shells_newown }}'
when:
- configure_strategy | bool
- file_owner_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-90435-9
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_owner_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/group-
ansible.builtin.stat:
path: /etc/group-
register: file_exists
tags:
- CCE-83939-9
- DISA-STIG-RHEL-09-232060
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232060 | bool
- configure_strategy | bool
- file_permissions_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/group-
ansible.builtin.file:
path: /etc/group-
mode: u-xs,g-xws,o-xwt
when:
- DISA_STIG_RHEL_09_232060 | bool
- configure_strategy | bool
- file_permissions_backup_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83939-9
- DISA-STIG-RHEL-09-232060
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_backup_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/gshadow-
ansible.builtin.stat:
path: /etc/gshadow-
register: file_exists
tags:
- CCE-83942-3
- DISA-STIG-RHEL-09-232070
- NIST-800-53-AC-6 (1)
- configure_strategy
- file_permissions_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232070 | bool
- configure_strategy | bool
- file_permissions_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow-
ansible.builtin.file:
path: /etc/gshadow-
mode: u-xwrs,g-xwrs,o-xwrt
when:
- DISA_STIG_RHEL_09_232070 | bool
- configure_strategy | bool
- file_permissions_backup_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83942-3
- DISA-STIG-RHEL-09-232070
- NIST-800-53-AC-6 (1)
- configure_strategy
- file_permissions_backup_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/passwd-
ansible.builtin.stat:
path: /etc/passwd-
register: file_exists
tags:
- CCE-83940-7
- DISA-STIG-RHEL-09-232080
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232080 | bool
- configure_strategy | bool
- file_permissions_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd-
ansible.builtin.file:
path: /etc/passwd-
mode: u-xs,g-xws,o-xwt
when:
- DISA_STIG_RHEL_09_232080 | bool
- configure_strategy | bool
- file_permissions_backup_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83940-7
- DISA-STIG-RHEL-09-232080
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_backup_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shadow-
ansible.builtin.stat:
path: /etc/shadow-
register: file_exists
tags:
- CCE-83935-7
- DISA-STIG-RHEL-09-232085
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232085 | bool
- configure_strategy | bool
- file_permissions_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow-
ansible.builtin.file:
path: /etc/shadow-
mode: u-xwrs,g-xwrs,o-xwrt
when:
- DISA_STIG_RHEL_09_232085 | bool
- configure_strategy | bool
- file_permissions_backup_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83935-7
- DISA-STIG-RHEL-09-232085
- NIST-800-53-AC-6 (1)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_backup_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/group
ansible.builtin.stat:
path: /etc/group
register: file_exists
tags:
- CCE-83934-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232055
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232055 | bool
- configure_strategy | bool
- file_permissions_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/group
ansible.builtin.file:
path: /etc/group
mode: u-xs,g-xws,o-xwt
when:
- DISA_STIG_RHEL_09_232055 | bool
- configure_strategy | bool
- file_permissions_etc_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83934-0
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232055
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/gshadow
ansible.builtin.stat:
path: /etc/gshadow
register: file_exists
tags:
- CCE-83921-7
- DISA-STIG-RHEL-09-232065
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232065 | bool
- configure_strategy | bool
- file_permissions_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow
ansible.builtin.file:
path: /etc/gshadow
mode: u-xwrs,g-xwrs,o-xwrt
when:
- DISA_STIG_RHEL_09_232065 | bool
- configure_strategy | bool
- file_permissions_etc_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83921-7
- DISA-STIG-RHEL-09-232065
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_permissions_etc_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/passwd
ansible.builtin.stat:
path: /etc/passwd
register: file_exists
tags:
- CCE-83931-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232075
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232075 | bool
- configure_strategy | bool
- file_permissions_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd
ansible.builtin.file:
path: /etc/passwd
mode: u-xs,g-xws,o-xwt
when:
- DISA_STIG_RHEL_09_232075 | bool
- configure_strategy | bool
- file_permissions_etc_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83931-6
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232075
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shadow
ansible.builtin.stat:
path: /etc/shadow
register: file_exists
tags:
- CCE-83941-5
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232270
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_232270 | bool
- configure_strategy | bool
- file_permissions_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/shadow
ansible.builtin.file:
path: /etc/shadow
mode: u-xwrs,g-xwrs,o-xwrt
when:
- DISA_STIG_RHEL_09_232270 | bool
- configure_strategy | bool
- file_permissions_etc_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83941-5
- CJIS-5.5.2.2
- DISA-STIG-RHEL-09-232270
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.7.c
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_etc_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/shells
ansible.builtin.stat:
path: /etc/shells
register: file_exists
tags:
- CCE-90432-6
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_permissions_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
when:
- configure_strategy | bool
- file_permissions_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- name: Ensure permission u-xs,g-xws,o-xwt on /etc/shells
ansible.builtin.file:
path: /etc/shells
mode: u-xs,g-xws,o-xwt
when:
- configure_strategy | bool
- file_permissions_etc_shells | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-90432-6
- NIST-800-53-AC-3
- NIST-800-53-MP-2
- configure_strategy
- file_permissions_etc_shells
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure kernel module 'cramfs' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/cramfs.conf
regexp: install\s+cramfs
line: install cramfs /bin/false
when:
- DISA_STIG_RHEL_09_231195 | bool
- disable_strategy | bool
- kernel_module_cramfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83853-2
- DISA-STIG-RHEL-09-231195
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_cramfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'cramfs' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/cramfs.conf
regexp: ^blacklist cramfs$
line: blacklist cramfs
when:
- DISA_STIG_RHEL_09_231195 | bool
- disable_strategy | bool
- kernel_module_cramfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83853-2
- DISA-STIG-RHEL-09-231195
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_cramfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'freevxfs' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/freevxfs.conf
regexp: install\s+freevxfs
line: install freevxfs /bin/false
when:
- disable_strategy | bool
- kernel_module_freevxfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86763-0
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_freevxfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'freevxfs' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/freevxfs.conf
regexp: ^blacklist freevxfs$
line: blacklist freevxfs
when:
- disable_strategy | bool
- kernel_module_freevxfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86763-0
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_freevxfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'hfs' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/hfs.conf
regexp: install\s+hfs
line: install hfs /bin/false
when:
- disable_strategy | bool
- kernel_module_hfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86764-8
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_hfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'hfs' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/hfs.conf
regexp: ^blacklist hfs$
line: blacklist hfs
when:
- disable_strategy | bool
- kernel_module_hfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86764-8
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_hfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'hfsplus' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/hfsplus.conf
regexp: install\s+hfsplus
line: install hfsplus /bin/false
when:
- disable_strategy | bool
- kernel_module_hfsplus_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86765-5
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_hfsplus_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'hfsplus' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/hfsplus.conf
regexp: ^blacklist hfsplus$
line: blacklist hfsplus
when:
- disable_strategy | bool
- kernel_module_hfsplus_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86765-5
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_hfsplus_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'jffs2' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/jffs2.conf
regexp: install\s+jffs2
line: install jffs2 /bin/false
when:
- disable_strategy | bool
- kernel_module_jffs2_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86766-3
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_jffs2_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'jffs2' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/jffs2.conf
regexp: ^blacklist jffs2$
line: blacklist jffs2
when:
- disable_strategy | bool
- kernel_module_jffs2_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86766-3
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_jffs2_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'squashfs' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/squashfs.conf
regexp: install\s+squashfs
line: install squashfs /bin/false
when:
- disable_strategy | bool
- kernel_module_squashfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83855-7
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_squashfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'squashfs' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/squashfs.conf
regexp: ^blacklist squashfs$
line: blacklist squashfs
when:
- disable_strategy | bool
- kernel_module_squashfs_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83855-7
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_squashfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'udf' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/udf.conf
regexp: install\s+udf
line: install udf /bin/false
when:
- disable_strategy | bool
- kernel_module_udf_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83852-4
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_udf_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'udf' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/udf.conf
regexp: ^blacklist udf$
line: blacklist udf
when:
- disable_strategy | bool
- kernel_module_udf_disabled | bool
- low_complexity | bool
- low_severity | bool
- medium_disruption | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83852-4
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_udf_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'usb-storage' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/usb-storage.conf
regexp: install\s+usb-storage
line: install usb-storage /bin/false
when:
- DISA_STIG_RHEL_09_291010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83851-6
- DISA-STIG-RHEL-09-291010
- NIST-800-171-3.1.21
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- disable_strategy
- kernel_module_usb-storage_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'usb-storage' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/usb-storage.conf
regexp: ^blacklist usb-storage$
line: blacklist usb-storage
when:
- DISA_STIG_RHEL_09_291010 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83851-6
- DISA-STIG-RHEL-09-291010
- NIST-800-171-3.1.21
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- PCI-DSSv4-3.4
- PCI-DSSv4-3.4.2
- disable_strategy
- kernel_module_usb-storage_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231110 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-83881-3
- DISA-STIG-RHEL-09-231110
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231110 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83881-3
- DISA-STIG-RHEL-09-231110
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- DISA_STIG_RHEL_09_231110 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83881-3
- DISA-STIG-RHEL-09-231110
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}'
when:
- DISA_STIG_RHEL_09_231110 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-83881-3
- DISA-STIG-RHEL-09-231110
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
mount:
path: /dev/shm
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231110 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0)
tags:
- CCE-83881-3
- DISA-STIG-RHEL-09-231110
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231115 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-83857-3
- DISA-STIG-RHEL-09-231115
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231115 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83857-3
- DISA-STIG-RHEL-09-231115
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- DISA_STIG_RHEL_09_231115 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83857-3
- DISA-STIG-RHEL-09-231115
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to /dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}'
when:
- DISA_STIG_RHEL_09_231115 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83857-3
- DISA-STIG-RHEL-09-231115
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
mount:
path: /dev/shm
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231115 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0)
tags:
- CCE-83857-3
- DISA-STIG-RHEL-09-231115
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231120 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- CCE-83891-2
- DISA-STIG-RHEL-09-231120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231120 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83891-2
- DISA-STIG-RHEL-09-231120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- DISA_STIG_RHEL_09_231120 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83891-2
- DISA-STIG-RHEL-09-231120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to /dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}'
when:
- DISA_STIG_RHEL_09_231120 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83891-2
- DISA-STIG-RHEL-09-231120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option'
mount:
path: /dev/shm
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231120 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_dev_shm_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0)
tags:
- CCE-83891-2
- DISA-STIG-RHEL-09-231120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /home: Check information associated to mountpoint'
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231045 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- mount_option_home_nodev | bool
- no_reboot_needed | bool
- unknown_severity | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83871-4
- DISA-STIG-RHEL-09-231045
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: 'Add nodev Option to /home: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231045 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- mount_option_home_nodev | bool
- no_reboot_needed | bool
- unknown_severity | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83871-4
- DISA-STIG-RHEL-09-231045
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: 'Add nodev Option to /home: If /home not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /home
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231045 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- mount_option_home_nodev | bool
- no_reboot_needed | bool
- unknown_severity | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83871-4
- DISA-STIG-RHEL-09-231045
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: 'Add nodev Option to /home: Make sure nodev option is part of the to /home options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}'
when:
- DISA_STIG_RHEL_09_231045 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- mount_option_home_nodev | bool
- no_reboot_needed | bool
- unknown_severity | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-83871-4
- DISA-STIG-RHEL-09-231045
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: 'Add nodev Option to /home: Ensure /home is mounted with nodev option'
mount:
path: /home
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231045 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- mount_option_home_nodev | bool
- no_reboot_needed | bool
- unknown_severity | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83871-4
- DISA-STIG-RHEL-09-231045
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: 'Add nosuid Option to /home: Check information associated to mountpoint'
command: findmnt --fstab '/home'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231050 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_home_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83894-6
- DISA-STIG-RHEL-09-231050
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231050 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_home_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83894-6
- DISA-STIG-RHEL-09-231050
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: If /home not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /home
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231050 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_home_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83894-6
- DISA-STIG-RHEL-09-231050
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: Make sure nosuid option is part of the to /home options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}'
when:
- DISA_STIG_RHEL_09_231050 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_home_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83894-6
- DISA-STIG-RHEL-09-231050
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /home: Ensure /home is mounted with nosuid option'
mount:
path: /home
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231050 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_home_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83894-6
- DISA-STIG-RHEL-09-231050
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Check information associated to mountpoint'
command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231125 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83869-8
- DISA-STIG-RHEL-09-231125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231125 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83869-8
- DISA-STIG-RHEL-09-231125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231125 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83869-8
- DISA-STIG-RHEL-09-231125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Make sure nodev option is part of the to /tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}'
when:
- DISA_STIG_RHEL_09_231125 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-83869-8
- DISA-STIG-RHEL-09-231125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Ensure /tmp is mounted with nodev option'
mount:
path: /tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231125 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83869-8
- DISA-STIG-RHEL-09-231125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Check information associated to mountpoint'
command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231130 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83885-4
- DISA-STIG-RHEL-09-231130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231130 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83885-4
- DISA-STIG-RHEL-09-231130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231130 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83885-4
- DISA-STIG-RHEL-09-231130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Make sure noexec option is part of the to /tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}'
when:
- DISA_STIG_RHEL_09_231130 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83885-4
- DISA-STIG-RHEL-09-231130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Ensure /tmp is mounted with noexec option'
mount:
path: /tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231130 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83885-4
- DISA-STIG-RHEL-09-231130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Check information associated to mountpoint'
command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231135 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83872-2
- DISA-STIG-RHEL-09-231135
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231135 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83872-2
- DISA-STIG-RHEL-09-231135
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231135 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83872-2
- DISA-STIG-RHEL-09-231135
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Make sure nosuid option is part of the to /tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}'
when:
- DISA_STIG_RHEL_09_231135 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83872-2
- DISA-STIG-RHEL-09-231135
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Ensure /tmp is mounted with nosuid option'
mount:
path: /tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231135 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83872-2
- DISA-STIG-RHEL-09-231135
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint'
command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231160 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83882-1
- DISA-STIG-RHEL-09-231160
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231160 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83882-1
- DISA-STIG-RHEL-09-231160
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: If /var/log/audit not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log/audit
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231160 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83882-1
- DISA-STIG-RHEL-09-231160
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Make sure nodev option is part of the to /var/log/audit options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}'
when:
- DISA_STIG_RHEL_09_231160 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-83882-1
- DISA-STIG-RHEL-09-231160
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Ensure /var/log/audit is mounted with nodev option'
mount:
path: /var/log/audit
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231160 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83882-1
- DISA-STIG-RHEL-09-231160
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint'
command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231165 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83878-9
- DISA-STIG-RHEL-09-231165
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231165 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83878-9
- DISA-STIG-RHEL-09-231165
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: If /var/log/audit not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log/audit
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231165 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83878-9
- DISA-STIG-RHEL-09-231165
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Make sure noexec option is part of the to /var/log/audit options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}'
when:
- DISA_STIG_RHEL_09_231165 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83878-9
- DISA-STIG-RHEL-09-231165
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Ensure /var/log/audit is mounted with noexec option'
mount:
path: /var/log/audit
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231165 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83878-9
- DISA-STIG-RHEL-09-231165
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint'
command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231170 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83893-8
- DISA-STIG-RHEL-09-231170
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231170 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83893-8
- DISA-STIG-RHEL-09-231170
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: If /var/log/audit not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log/audit
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231170 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83893-8
- DISA-STIG-RHEL-09-231170
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Make sure nosuid option is part of the to /var/log/audit options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}'
when:
- DISA_STIG_RHEL_09_231170 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83893-8
- DISA-STIG-RHEL-09-231170
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Ensure /var/log/audit is mounted with nosuid option'
mount:
path: /var/log/audit
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231170 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_audit_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83893-8
- DISA-STIG-RHEL-09-231170
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Check information associated to mountpoint'
command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231145 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83886-2
- DISA-STIG-RHEL-09-231145
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231145 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83886-2
- DISA-STIG-RHEL-09-231145
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: If /var/log not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231145 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83886-2
- DISA-STIG-RHEL-09-231145
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Make sure nodev option is part of the to /var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}'
when:
- DISA_STIG_RHEL_09_231145 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-83886-2
- DISA-STIG-RHEL-09-231145
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Ensure /var/log is mounted with nodev option'
mount:
path: /var/log
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231145 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83886-2
- DISA-STIG-RHEL-09-231145
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Check information associated to mountpoint'
command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231150 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83887-0
- DISA-STIG-RHEL-09-231150
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231150 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83887-0
- DISA-STIG-RHEL-09-231150
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: If /var/log not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231150 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83887-0
- DISA-STIG-RHEL-09-231150
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Make sure noexec option is part of the to /var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}'
when:
- DISA_STIG_RHEL_09_231150 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83887-0
- DISA-STIG-RHEL-09-231150
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Ensure /var/log is mounted with noexec option'
mount:
path: /var/log
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231150 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83887-0
- DISA-STIG-RHEL-09-231150
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Check information associated to mountpoint'
command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231155 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83870-6
- DISA-STIG-RHEL-09-231155
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231155 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83870-6
- DISA-STIG-RHEL-09-231155
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: If /var/log not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231155 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83870-6
- DISA-STIG-RHEL-09-231155
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Make sure nosuid option is part of the to /var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}'
when:
- DISA_STIG_RHEL_09_231155 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83870-6
- DISA-STIG-RHEL-09-231155
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Ensure /var/log is mounted with nosuid option'
mount:
path: /var/log
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231155 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_log_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83870-6
- DISA-STIG-RHEL-09-231155
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /var: Check information associated to mountpoint'
command: findmnt --fstab '/var'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231140 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83868-0
- DISA-STIG-RHEL-09-231140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231140 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83868-0
- DISA-STIG-RHEL-09-231140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: If /var not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231140 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83868-0
- DISA-STIG-RHEL-09-231140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: Make sure nodev option is part of the to /var options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}'
when:
- DISA_STIG_RHEL_09_231140 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-83868-0
- DISA-STIG-RHEL-09-231140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: Ensure /var is mounted with nodev option'
mount:
path: /var
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231140 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83868-0
- DISA-STIG-RHEL-09-231140
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nosuid Option to /var: Check information associated to mountpoint'
command: findmnt --fstab '/var'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83867-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83867-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: If /var not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var
- ''
- ''
- defaults
when:
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83867-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: Make sure nosuid option is part of the to /var options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}'
when:
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83867-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var: Ensure /var is mounted with nosuid option'
mount:
path: /var
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83867-2
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint'
command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231175 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83864-9
- DISA-STIG-RHEL-09-231175
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231175 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83864-9
- DISA-STIG-RHEL-09-231175
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231175 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83864-9
- DISA-STIG-RHEL-09-231175
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Make sure nodev option is part of the to /var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}'
when:
- DISA_STIG_RHEL_09_231175 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in mount_info.options
tags:
- CCE-83864-9
- DISA-STIG-RHEL-09-231175
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Ensure /var/tmp is mounted with nodev option'
mount:
path: /var/tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231175 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nodev | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83864-9
- DISA-STIG-RHEL-09-231175
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint'
command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231180 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83866-4
- DISA-STIG-RHEL-09-231180
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231180 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83866-4
- DISA-STIG-RHEL-09-231180
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231180 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83866-4
- DISA-STIG-RHEL-09-231180
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Make sure noexec option is part of the to /var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}'
when:
- DISA_STIG_RHEL_09_231180 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in mount_info.options
tags:
- CCE-83866-4
- DISA-STIG-RHEL-09-231180
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Ensure /var/tmp is mounted with noexec option'
mount:
path: /var/tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231180 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_noexec | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83866-4
- DISA-STIG-RHEL-09-231180
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint'
command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_231185 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- CCE-83863-1
- DISA-STIG-RHEL-09-231185
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- DISA_STIG_RHEL_09_231185 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- CCE-83863-1
- DISA-STIG-RHEL-09-231185
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- DISA_STIG_RHEL_09_231185 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83863-1
- DISA-STIG-RHEL-09-231185
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Make sure nosuid option is part of the to /var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}'
when:
- DISA_STIG_RHEL_09_231185 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in mount_info.options
tags:
- CCE-83863-1
- DISA-STIG-RHEL-09-231185
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Ensure /var/tmp is mounted with nosuid option'
mount:
path: /var/tmp
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- DISA_STIG_RHEL_09_231185 | bool
- configure_strategy | bool
- high_disruption | bool
- low_complexity | bool
- medium_severity | bool
- mount_option_var_tmp_nosuid | bool
- no_reboot_needed | bool
- ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages and "bootc" in ansible_facts.packages
and not "openshift-kubelet" in ansible_facts.packages and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83863-1
- DISA-STIG-RHEL-09-231185
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: Restrict usage of ptrace to descendant processes - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_213080 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_yama_ptrace_scope | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83965-4
- DISA-STIG-RHEL-09-213080
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Find all files that contain kernel.yama.ptrace_scope
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.yama.ptrace_scope\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_213080 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_yama_ptrace_scope | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83965-4
- DISA-STIG-RHEL-09-213080
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Find all files that set kernel.yama.ptrace_scope to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.yama.ptrace_scope\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_213080 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_yama_ptrace_scope | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83965-4
- DISA-STIG-RHEL-09-213080
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Comment out any occurrences of kernel.yama.ptrace_scope from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.yama.ptrace_scope
replace: '#kernel.yama.ptrace_scope'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_213080 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_yama_ptrace_scope | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-83965-4
- DISA-STIG-RHEL-09-213080
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Ensure sysctl kernel.yama.ptrace_scope is set to 1
ansible.posix.sysctl:
name: kernel.yama.ptrace_scope
value: '1'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_213080 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_yama_ptrace_scope | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83965-4
- DISA-STIG-RHEL-09-213080
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Disable core dump backtraces - Search for a section in files
ansible.builtin.find:
paths: '{{item.path}}'
patterns: '{{item.pattern}}'
contains: ^\s*\[Coredump\]
read_whole_file: true
use_regex: true
register: systemd_dropin_files_with_section
loop:
- path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}'
pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}'
- path: /etc/systemd/coredump.conf.d
pattern: .*\.conf
when:
- DISA_STIG_RHEL_09_213085 | bool
- coredump_disable_backtraces | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
tags:
- CCE-83984-5
- DISA-STIG-RHEL-09-213085
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable core dump backtraces - Count number of files which contain the correct section
ansible.builtin.set_fact:
count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'')
| list | map(''int'') | sum}}'
when:
- DISA_STIG_RHEL_09_213085 | bool
- coredump_disable_backtraces | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
tags:
- CCE-83984-5
- DISA-STIG-RHEL-09-213085
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable core dump backtraces - Add missing configuration to correct section
community.general.ini_file:
path: '{{item}}'
section: Coredump
option: ProcessSizeMax
value: '0'
state: present
no_extra_spaces: true
when:
- DISA_STIG_RHEL_09_213085 | bool
- coredump_disable_backtraces | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int > 0
loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list
}}'
tags:
- CCE-83984-5
- DISA-STIG-RHEL-09-213085
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable core dump backtraces - Add configuration to new remediation file
community.general.ini_file:
path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf
section: Coredump
option: ProcessSizeMax
value: '0'
state: present
no_extra_spaces: true
create: true
when:
- DISA_STIG_RHEL_09_213085 | bool
- coredump_disable_backtraces | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int == 0
tags:
- CCE-83984-5
- DISA-STIG-RHEL-09-213085
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Search for a section in files
ansible.builtin.find:
paths: '{{item.path}}'
patterns: '{{item.pattern}}'
contains: ^\s*\[Coredump\]
read_whole_file: true
use_regex: true
register: systemd_dropin_files_with_section
loop:
- path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}'
pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}'
- path: /etc/systemd/coredump.conf.d
pattern: .*\.conf
when:
- DISA_STIG_RHEL_09_213090 | bool
- coredump_disable_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
tags:
- CCE-83979-5
- DISA-STIG-RHEL-09-213090
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Count number of files which contain the correct section
ansible.builtin.set_fact:
count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results | map(attribute=''matched'')
| list | map(''int'') | sum}}'
when:
- DISA_STIG_RHEL_09_213090 | bool
- coredump_disable_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
tags:
- CCE-83979-5
- DISA-STIG-RHEL-09-213090
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Add missing configuration to correct section
community.general.ini_file:
path: '{{item}}'
section: Coredump
option: Storage
value: none
state: present
no_extra_spaces: true
when:
- DISA_STIG_RHEL_09_213090 | bool
- coredump_disable_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int > 0
loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'', start=[]) | map(attribute=''path'') | list
}}'
tags:
- CCE-83979-5
- DISA-STIG-RHEL-09-213090
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Add configuration to new remediation file
community.general.ini_file:
path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf
section: Coredump
option: Storage
value: none
state: present
no_extra_spaces: true
create: true
when:
- DISA_STIG_RHEL_09_213090 | bool
- coredump_disable_storage | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int == 0
tags:
- CCE-83979-5
- DISA-STIG-RHEL-09-213090
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Enable Randomized Layout of Virtual Address Space - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when:
- DISA_STIG_RHEL_09_213070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_randomize_va_space | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83971-2
- DISA-STIG-RHEL-09-213070
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Find all files that contain kernel.randomize_va_space
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.randomize_va_space\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_213070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_randomize_va_space | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83971-2
- DISA-STIG-RHEL-09-213070
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Find all files that set kernel.randomize_va_space to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.randomize_va_space\s*=\s*2$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_213070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_randomize_va_space | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83971-2
- DISA-STIG-RHEL-09-213070
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Comment out any occurrences of kernel.randomize_va_space from
config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.randomize_va_space
replace: '#kernel.randomize_va_space'
loop: '{{ find_all_values.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_213070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_randomize_va_space | bool
- '"kernel-core" in ansible_facts.packages'
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines
| length
tags:
- CCE-83971-2
- DISA-STIG-RHEL-09-213070
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Enable Randomized Layout of Virtual Address Space - Ensure sysctl kernel.randomize_va_space is set to 2
ansible.posix.sysctl:
name: kernel.randomize_va_space
value: '2'
sysctl_file: /etc/sysctl.conf
state: present
reload: true
when:
- DISA_STIG_RHEL_09_213070 | bool
- disable_strategy | bool
- low_complexity | bool
- medium_disruption | bool
- medium_severity | bool
- reboot_required | bool
- sysctl_kernel_randomize_va_space | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83971-2
- DISA-STIG-RHEL-09-213070
- NIST-800-171-3.1.7
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- PCI-DSS-Req-2.2.1
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_randomize_va_space
- name: Ensure SELinux Not Disabled in /etc/default/grub - Find /etc/grub.d/ files
ansible.builtin.find:
paths:
- /etc/grub.d/
follow: true
register: result_grub_d
when:
- grub2_enable_selinux | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-84078-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- grub2_enable_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled in /etc/grub.d/ files
ansible.builtin.replace:
dest: '{{ item.path }}'
regexp: (selinux|enforcing)=0
with_items:
- '{{ result_grub_d.files }}'
when:
- grub2_enable_selinux | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-84078-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- grub2_enable_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/grub2.cfg exists
ansible.builtin.stat:
path: /etc/grub2.cfg
register: result_grub2_cfg_present
when:
- grub2_enable_selinux | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-84078-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- grub2_enable_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure SELinux Not Disabled in /etc/default/grub - Check if /etc/default/grub exists
ansible.builtin.stat:
path: /etc/default/grub
register: result_default_grub_present
when:
- grub2_enable_selinux | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-84078-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- grub2_enable_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled in /etc/grub2.cfg
ansible.builtin.replace:
dest: /etc/grub2.cfg
regexp: (selinux|enforcing)=0
when:
- grub2_enable_selinux | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
- result_grub2_cfg_present.stat.exists
tags:
- CCE-84078-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- grub2_enable_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure SELinux Not Disabled in /etc/default/grub - Ensure SELinux Not Disabled in /etc/default/grub
ansible.builtin.replace:
dest: /etc/default/grub
regexp: (selinux|enforcing)=0
when:
- grub2_enable_selinux | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
- result_default_grub_present.stat.exists
tags:
- CCE-84078-5
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- grub2_enable_selinux
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure SELinux is Not Disabled - Check current SELinux state
ansible.builtin.command:
cmd: getenforce
register: selinux_state
check_mode: false
changed_when: false
when:
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- reboot_required | bool
- restrict_strategy | bool
- selinux_not_disabled | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86152-6
- high_severity
- low_complexity
- low_disruption
- reboot_required
- restrict_strategy
- selinux_not_disabled
- name: Ensure SELinux is Not Disabled
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
line: SELINUX=permissive
state: present
when:
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- reboot_required | bool
- restrict_strategy | bool
- selinux_not_disabled | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86152-6
- high_severity
- low_complexity
- low_disruption
- reboot_required
- restrict_strategy
- selinux_not_disabled
- name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next boot
ansible.builtin.file:
path: /.autorelabel
state: touch
access_time: preserve
modification_time: preserve
when:
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- reboot_required | bool
- restrict_strategy | bool
- selinux_not_disabled | bool
- '"kernel-core" in ansible_facts.packages'
- selinux_state.stdout | lower != "permissive"
tags:
- CCE-86152-6
- high_severity
- low_complexity
- low_disruption
- reboot_required
- restrict_strategy
- selinux_not_disabled
- name: Configure SELinux Policy
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
line: SELINUXTYPE={{ var_selinux_policy_name }}
state: present
when:
- DISA_STIG_RHEL_09_431015 | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- selinux_policytype | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84074-4
- DISA-STIG-RHEL-09-431015
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- selinux_policytype
- name: Ensure SELinux State is Enforcing - Check current SELinux state
ansible.builtin.command:
cmd: getenforce
register: selinux_state
check_mode: false
changed_when: false
when:
- DISA_STIG_RHEL_09_431010 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- selinux_state | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84079-3
- DISA-STIG-RHEL-09-431010
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
line: SELINUX={{ var_selinux_state }}
state: present
when:
- DISA_STIG_RHEL_09_431010 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- selinux_state | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84079-3
- DISA-STIG-RHEL-09-431010
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing - Mark system to relabel SELinux on next boot
ansible.builtin.file:
path: /.autorelabel
state: touch
access_time: preserve
modification_time: preserve
when:
- DISA_STIG_RHEL_09_431010 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- selinux_state | bool
- '"kernel-core" in ansible_facts.packages'
- selinux_state.stdout | lower != var_selinux_state
tags:
- CCE-84079-3
- DISA-STIG-RHEL-09-431010
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Set the file_groupowner_cron_d_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_cron_d_newgroup: '0'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_d | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84177-5
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_d
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/cron.d/
ansible.builtin.file:
path: /etc/cron.d/
follow: false
state: directory
group: '{{ file_groupowner_cron_d_newgroup }}'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_d | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84177-5
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_d
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_cron_daily_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_cron_daily_newgroup: '0'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_daily | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84170-0
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_daily
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/cron.daily/
ansible.builtin.file:
path: /etc/cron.daily/
follow: false
state: directory
group: '{{ file_groupowner_cron_daily_newgroup }}'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_daily | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84170-0
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_daily
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_cron_hourly_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_cron_hourly_newgroup: '0'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_hourly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84186-6
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_hourly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/cron.hourly/
ansible.builtin.file:
path: /etc/cron.hourly/
follow: false
state: directory
group: '{{ file_groupowner_cron_hourly_newgroup }}'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_hourly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84186-6
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_hourly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_cron_monthly_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_cron_monthly_newgroup: '0'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_monthly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84189-0
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_monthly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/cron.monthly/
ansible.builtin.file:
path: /etc/cron.monthly/
follow: false
state: directory
group: '{{ file_groupowner_cron_monthly_newgroup }}'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_monthly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84189-0
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_monthly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_cron_weekly_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_cron_weekly_newgroup: '0'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_weekly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84174-2
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_weekly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/cron.weekly/
ansible.builtin.file:
path: /etc/cron.weekly/
follow: false
state: directory
group: '{{ file_groupowner_cron_weekly_newgroup }}'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_cron_weekly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84174-2
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_weekly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_crontab_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_crontab_newgroup: '0'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84171-8
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/crontab
ansible.builtin.stat:
path: /etc/crontab
register: file_exists
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84171-8
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/crontab
ansible.builtin.file:
path: /etc/crontab
follow: false
group: '{{ file_groupowner_crontab_newgroup }}'
when:
- DISA_STIG_RHEL_09_232235 | bool
- configure_strategy | bool
- file_groupowner_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-84171-8
- DISA-STIG-RHEL-09-232235
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_cron_d_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_cron_d_newown: '0'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_d | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84169-2
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_d
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/cron.d/
ansible.builtin.file:
path: /etc/cron.d/
follow: false
state: directory
owner: '{{ file_owner_cron_d_newown }}'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_d | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84169-2
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_d
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_cron_daily_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_cron_daily_newown: '0'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_daily | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84188-2
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_daily
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/cron.daily/
ansible.builtin.file:
path: /etc/cron.daily/
follow: false
state: directory
owner: '{{ file_owner_cron_daily_newown }}'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_daily | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84188-2
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_daily
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_cron_hourly_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_cron_hourly_newown: '0'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_hourly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84168-4
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_hourly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/cron.hourly/
ansible.builtin.file:
path: /etc/cron.hourly/
follow: false
state: directory
owner: '{{ file_owner_cron_hourly_newown }}'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_hourly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84168-4
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_hourly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_cron_monthly_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_cron_monthly_newown: '0'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_monthly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84179-1
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_monthly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/cron.monthly/
ansible.builtin.file:
path: /etc/cron.monthly/
follow: false
state: directory
owner: '{{ file_owner_cron_monthly_newown }}'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_monthly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84179-1
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_monthly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_cron_weekly_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_cron_weekly_newown: '0'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_weekly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84190-8
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_weekly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on directory /etc/cron.weekly/
ansible.builtin.file:
path: /etc/cron.weekly/
follow: false
state: directory
owner: '{{ file_owner_cron_weekly_newown }}'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_cron_weekly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84190-8
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_weekly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_crontab_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_crontab_newown: '0'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84167-6
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/crontab
ansible.builtin.stat:
path: /etc/crontab
register: file_exists
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84167-6
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/crontab
ansible.builtin.file:
path: /etc/crontab
follow: false
owner: '{{ file_owner_crontab_newown }}'
when:
- DISA_STIG_RHEL_09_232230 | bool
- configure_strategy | bool
- file_owner_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-84167-6
- DISA-STIG-RHEL-09-232230
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/cron.d/ file(s)
ansible.builtin.command: 'find -P /etc/cron.d/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_d | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84183-3
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_d
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/cron.d/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_d | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84183-3
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_d
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/cron.daily/ file(s)
ansible.builtin.command: 'find -P /etc/cron.daily/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_daily | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84175-9
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_daily
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/cron.daily/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_daily | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84175-9
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_daily
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/cron.hourly/ file(s)
ansible.builtin.command: 'find -P /etc/cron.hourly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_hourly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84173-4
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_hourly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/cron.hourly/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_hourly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84173-4
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_hourly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/cron.monthly/ file(s)
ansible.builtin.command: 'find -P /etc/cron.monthly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_monthly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84181-7
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_monthly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/cron.monthly/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_monthly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84181-7
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_monthly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/cron.weekly/ file(s)
ansible.builtin.command: 'find -P /etc/cron.weekly/ -maxdepth 0 -perm /u+s,g+xwrs,o+xwrt -type d '
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_weekly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84187-4
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_weekly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/cron.weekly/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-s,g-xwrs,o-xwrt
state: directory
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232040 | bool
- configure_strategy | bool
- file_permissions_cron_weekly | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84187-4
- DISA-STIG-RHEL-09-232040
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_weekly
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/crontab
ansible.builtin.stat:
path: /etc/crontab
register: file_exists
when:
- configure_strategy | bool
- file_permissions_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84176-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/crontab
ansible.builtin.file:
path: /etc/crontab
mode: u-xs,g-xwrs,o-xwrt
when:
- configure_strategy | bool
- file_permissions_crontab | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-84176-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_crontab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure that /etc/at.allow exists - Add empty /etc/at.allow
ansible.builtin.file:
path: /etc/at.allow
state: touch
owner: '0'
mode: '0640'
modification_time: preserve
access_time: preserve
when:
- disable_strategy | bool
- file_at_allow_exists | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86856-2
- disable_strategy
- file_at_allow_exists
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure that /etc/at.deny does not exist - Remove /etc/at.deny
ansible.builtin.file:
path: /etc/at.deny
state: absent
when:
- disable_strategy | bool
- file_at_deny_not_exist | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86946-1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- disable_strategy
- file_at_deny_not_exist
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure that /etc/cron.allow exists - Add empty /etc/cron.allow
ansible.builtin.file:
path: /etc/cron.allow
state: touch
owner: '0'
mode: '0600'
modification_time: preserve
access_time: preserve
when:
- disable_strategy | bool
- file_cron_allow_exists | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86185-6
- disable_strategy
- file_cron_allow_exists
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure that /etc/cron.deny does not exist - Remove /etc/cron.deny
ansible.builtin.file:
path: /etc/cron.deny
state: absent
when:
- disable_strategy | bool
- file_cron_deny_not_exist | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86850-5
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- disable_strategy
- file_cron_deny_not_exist
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_at_allow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_at_allow_newgroup: '0'
when:
- configure_strategy | bool
- file_groupowner_at_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87103-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_at_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/at.allow
ansible.builtin.stat:
path: /etc/at.allow
register: file_exists
when:
- configure_strategy | bool
- file_groupowner_at_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87103-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_at_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/at.allow
ansible.builtin.file:
path: /etc/at.allow
follow: false
group: '{{ file_groupowner_at_allow_newgroup }}'
when:
- configure_strategy | bool
- file_groupowner_at_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-87103-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_at_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupowner_cron_allow_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_cron_allow_newgroup: '0'
when:
- configure_strategy | bool
- file_groupowner_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86830-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/cron.allow
ansible.builtin.stat:
path: /etc/cron.allow
register: file_exists
when:
- configure_strategy | bool
- file_groupowner_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86830-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/cron.allow
ansible.builtin.file:
path: /etc/cron.allow
follow: false
group: '{{ file_groupowner_cron_allow_newgroup }}'
when:
- configure_strategy | bool
- file_groupowner_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86830-7
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_groupowner_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_cron_allow_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_cron_allow_newown: '0'
when:
- configure_strategy | bool
- file_owner_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86844-8
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/cron.allow
ansible.builtin.stat:
path: /etc/cron.allow
register: file_exists
when:
- configure_strategy | bool
- file_owner_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86844-8
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/cron.allow
ansible.builtin.file:
path: /etc/cron.allow
follow: false
owner: '{{ file_owner_cron_allow_newown }}'
when:
- configure_strategy | bool
- file_owner_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86844-8
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_owner_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/at.allow
ansible.builtin.stat:
path: /etc/at.allow
register: file_exists
when:
- configure_strategy | bool
- file_permissions_at_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86904-0
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_at_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/at.allow
ansible.builtin.file:
path: /etc/at.allow
mode: u-xs,g-xws,o-xwrt
when:
- configure_strategy | bool
- file_permissions_at_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86904-0
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_at_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/cron.allow
ansible.builtin.stat:
path: /etc/cron.allow
register: file_exists
when:
- configure_strategy | bool
- file_permissions_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86877-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/cron.allow
ansible.builtin.file:
path: /etc/cron.allow
mode: u-xs,g-xwrs,o-xwrt
when:
- configure_strategy | bool
- file_permissions_cron_allow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86877-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_cron_allow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Make changes to Postfix configuration file
ansible.builtin.lineinfile:
path: /etc/postfix/main.cf
create: false
regexp: (?i)^inet_interfaces\s*=\s.*
line: inet_interfaces = {{ var_postfix_inet_interfaces }}
state: present
insertafter: ^inet_interfaces\s*=\s.*
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- postfix_network_listening_disabled | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"postfix" in ansible_facts.packages'
- '"postfix" in ansible_facts.packages'
tags:
- CCE-90825-1
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- postfix_network_listening_disabled
- restrict_strategy
- name: Detect if chrony is already configured with pools or servers
ansible.builtin.find:
path: /etc
patterns: chrony.conf
contains: ^[\s]*(?:server|pool)[\s]+[\w]+
register: chrony_servers
when:
- DISA_STIG_RHEL_09_252020 | bool
- chronyd_specify_remote_server | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
tags:
- CCE-84218-7
- DISA-STIG-RHEL-09-252020
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure remote time servers
ansible.builtin.lineinfile:
path: /etc/chrony.conf
line: server {{ item }}
state: present
create: true
loop: '{{ var_multiple_time_servers.split(",") }}'
when:
- DISA_STIG_RHEL_09_252020 | bool
- chronyd_specify_remote_server | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
- chrony_servers.matched == 0
tags:
- CCE-84218-7
- DISA-STIG-RHEL-09-252020
- NIST-800-53-AU-8(1)(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.3
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.2
- chronyd_specify_remote_server
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Detect if file /etc/sysconfig/chronyd is not empty or missing
ansible.builtin.find:
path: /etc/sysconfig/
patterns: chronyd
contains: ^([\s]*OPTIONS=["]?[^"]*)("?)
register: chronyd_file
when:
- chronyd_run_as_chrony_user | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
tags:
- CCE-84108-0
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- chronyd_run_as_chrony_user
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Remove any previous configuration of user used to run chronyd process
ansible.builtin.replace:
path: /etc/sysconfig/chronyd
regexp: \s*-u\s*\w+\s*
replace: ' '
when:
- chronyd_run_as_chrony_user | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- '"chrony" in ansible_facts.packages'
- chronyd_file is defined and chronyd_file.matched > 0
tags:
- CCE-84108-0
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- chronyd_run_as_chrony_user
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Detect .rhosts files in users home directories
ansible.builtin.find:
paths:
- /root
- /home
recurse: true
patterns: .rhosts
hidden: true
file_type: file
check_mode: false
register: rhosts_locations
when:
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- no_rsh_trust_files | bool
- restrict_strategy | bool
- '"rsh-server" in ansible_facts.packages'
tags:
- CCE-84145-2
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_rsh_trust_files
- restrict_strategy
- name: Remove .rhosts files
ansible.builtin.file:
path: '{{ item }}'
state: absent
with_items: '{{ rhosts_locations.files | map(attribute=''path'') | list }}'
when:
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- no_rsh_trust_files | bool
- restrict_strategy | bool
- '"rsh-server" in ansible_facts.packages'
- rhosts_locations is success
tags:
- CCE-84145-2
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_rsh_trust_files
- restrict_strategy
- name: Remove /etc/hosts.equiv file
ansible.builtin.file:
path: /etc/hosts.equiv
state: absent
when:
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- no_rsh_trust_files | bool
- restrict_strategy | bool
- '"rsh-server" in ansible_facts.packages'
tags:
- CCE-84145-2
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_rsh_trust_files
- restrict_strategy
- name: Set the file_groupowner_sshd_config_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupowner_sshd_config_newgroup: '0'
when:
- DISA_STIG_RHEL_09_255105 | bool
- configure_strategy | bool
- file_groupowner_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90817-8
- DISA-STIG-RHEL-09-255105
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ssh/sshd_config
ansible.builtin.stat:
path: /etc/ssh/sshd_config
register: file_exists
when:
- DISA_STIG_RHEL_09_255105 | bool
- configure_strategy | bool
- file_groupowner_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90817-8
- DISA-STIG-RHEL-09-255105
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ssh/sshd_config
ansible.builtin.file:
path: /etc/ssh/sshd_config
follow: false
group: '{{ file_groupowner_sshd_config_newgroup }}'
when:
- DISA_STIG_RHEL_09_255105 | bool
- configure_strategy | bool
- file_groupowner_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-90817-8
- DISA-STIG-RHEL-09-255105
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_groupowner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Check that the ssh_keys group is defined
ansible.builtin.getent:
database: group
key: ssh_keys
ignore_errors: true
when:
- configure_strategy | bool
- file_groupownership_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_groupownership_sshd_private_key_newgroup is undefined
tags:
- CCE-86127-8
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupownership_sshd_private_key_newgroup variable if ssh_keys found
ansible.builtin.set_fact:
file_groupownership_sshd_private_key_newgroup: ssh_keys
when:
- configure_strategy | bool
- file_groupownership_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- ansible_facts.getent_group["ssh_keys"] is defined
tags:
- CCE-86127-8
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group ssh_keys -regextype posix-extended -regex "^.*_key$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- configure_strategy | bool
- file_groupownership_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86127-8
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.file:
path: '{{ item }}'
follow: false
group: '{{ file_groupownership_sshd_private_key_newgroup }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- configure_strategy | bool
- file_groupownership_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86127-8
- configure_strategy
- file_groupownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_groupownership_sshd_pub_key_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupownership_sshd_pub_key_newgroup: '0'
when:
- configure_strategy | bool
- file_groupownership_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86136-9
- configure_strategy
- file_groupownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- configure_strategy | bool
- file_groupownership_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86136-9
- configure_strategy
- file_groupownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.file:
path: '{{ item }}'
follow: false
group: '{{ file_groupownership_sshd_pub_key_newgroup }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- configure_strategy | bool
- file_groupownership_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86136-9
- configure_strategy
- file_groupownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_owner_sshd_config_newown variable if represented by uid
ansible.builtin.set_fact:
file_owner_sshd_config_newown: '0'
when:
- DISA_STIG_RHEL_09_255110 | bool
- configure_strategy | bool
- file_owner_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90821-0
- DISA-STIG-RHEL-09-255110
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ssh/sshd_config
ansible.builtin.stat:
path: /etc/ssh/sshd_config
register: file_exists
when:
- DISA_STIG_RHEL_09_255110 | bool
- configure_strategy | bool
- file_owner_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90821-0
- DISA-STIG-RHEL-09-255110
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ssh/sshd_config
ansible.builtin.file:
path: /etc/ssh/sshd_config
follow: false
owner: '{{ file_owner_sshd_config_newown }}'
when:
- DISA_STIG_RHEL_09_255110 | bool
- configure_strategy | bool
- file_owner_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-90821-0
- DISA-STIG-RHEL-09-255110
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- configure_strategy
- file_owner_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_ownership_sshd_private_key_newown variable if represented by uid
ansible.builtin.set_fact:
file_ownership_sshd_private_key_newown: '0'
when:
- configure_strategy | bool
- file_ownership_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86119-5
- configure_strategy
- file_ownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*_key$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- configure_strategy | bool
- file_ownership_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86119-5
- configure_strategy
- file_ownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ssh/ file(s) matching ^.*_key$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_sshd_private_key_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- configure_strategy | bool
- file_ownership_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86119-5
- configure_strategy
- file_ownership_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_ownership_sshd_pub_key_newown variable if represented by uid
ansible.builtin.set_fact:
file_ownership_sshd_pub_key_newown: '0'
when:
- configure_strategy | bool
- file_ownership_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86130-2
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- configure_strategy | bool
- file_ownership_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86130-2
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/ssh/ file(s) matching ^.*\.pub$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_sshd_pub_key_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- configure_strategy | bool
- file_ownership_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86130-2
- configure_strategy
- file_ownership_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/ssh/sshd_config
ansible.builtin.stat:
path: /etc/ssh/sshd_config
register: file_exists
when:
- DISA_STIG_RHEL_09_255115 | bool
- configure_strategy | bool
- file_permissions_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90818-6
- DISA-STIG-RHEL-09-255115
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/ssh/sshd_config
ansible.builtin.file:
path: /etc/ssh/sshd_config
mode: u-xs,g-xwrs,o-xwrt
when:
- DISA_STIG_RHEL_09_255115 | bool
- configure_strategy | bool
- file_permissions_sshd_config | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-90818-6
- DISA-STIG-RHEL-09-255115
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_config
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find root:root-owned keys
ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group root -perm /u+xs,g+xwrs,o+xwrt
register: root_owned_keys
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_255120 | bool
- configure_strategy | bool
- file_permissions_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90820-2
- DISA-STIG-RHEL-09-255120
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for root:root-owned keys
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xwrs,o-xwrt
state: file
with_items:
- '{{ root_owned_keys.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_255120 | bool
- configure_strategy | bool
- file_permissions_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90820-2
- DISA-STIG-RHEL-09-255120
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find root:ssh_keys-owned keys
ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group ssh_keys -perm /u+xs,g+xws,o+xwrt
register: dedicated_group_owned_keys
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_255120 | bool
- configure_strategy | bool
- file_permissions_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90820-2
- DISA-STIG-RHEL-09-255120
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for root:ssh_keys-owned keys
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ dedicated_group_owned_keys.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_255120 | bool
- configure_strategy | bool
- file_permissions_sshd_private_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90820-2
- DISA-STIG-RHEL-09-255120
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_private_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/ssh/ file(s)
ansible.builtin.command: find -P /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regextype posix-extended -regex
"^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_255125 | bool
- configure_strategy | bool
- file_permissions_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90819-4
- DISA-STIG-RHEL-09-255125
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/ssh/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_255125 | bool
- configure_strategy | bool
- file_permissions_sshd_pub_key | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90819-4
- DISA-STIG-RHEL-09-255125
- NIST-800-171-3.1.13
- NIST-800-171-3.13.10
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- configure_strategy
- file_permissions_sshd_pub_key
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set SSH Client Alive Count Max - Check if the parameter ClientAliveCountMax is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255095 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_keepalive | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90805-3
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255095
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive
- name: Set SSH Client Alive Count Max - Check if the parameter ClientAliveCountMax is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+{{ var_sshd_set_keepalive }}$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255095 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_keepalive | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90805-3
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255095
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive
- name: Set SSH Client Alive Count Max
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter ClientAliveCountMax is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "ClientAliveCountMax"| regex_escape }}\s+
line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255095 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_keepalive | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90805-3
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255095
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive
- name: Set SSH Client Alive Count Max - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255095 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_keepalive | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90805-3
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255095
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive
- name: Set SSH Client Alive Interval - Check if the parameter ClientAliveInterval is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255100 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_idle_timeout | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90811-1
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255100
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Set SSH Client Alive Interval - Check if the parameter ClientAliveInterval is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+{{ sshd_idle_timeout_value }}$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255100 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_idle_timeout | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90811-1
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255100
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Set SSH Client Alive Interval
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter ClientAliveInterval is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "ClientAliveInterval"| regex_escape }}\s+
line: ClientAliveInterval {{ sshd_idle_timeout_value }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255100 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_idle_timeout | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90811-1
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255100
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Set SSH Client Alive Interval - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255100 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_idle_timeout | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90811-1
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255100
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255080 | bool
- disable_host_auth | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90816-0
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255080
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication - Check if the parameter HostbasedAuthentication is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+no$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255080 | bool
- disable_host_auth | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90816-0
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255080
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter HostbasedAuthentication is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
line: HostbasedAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255080 | bool
- disable_host_auth | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90816-0
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255080
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255080 | bool
- disable_host_auth | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90816-0
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255080
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255040 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_empty_passwords | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90799-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255040
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords - Check if the parameter PermitEmptyPasswords is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+no$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255040 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_empty_passwords | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90799-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255040
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter PermitEmptyPasswords is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
line: PermitEmptyPasswords no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255040 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_empty_passwords | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90799-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255040
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255040 | bool
- high_severity | bool
- low_complexity | bool
- low_disruption | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_empty_passwords | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90799-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255040
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Forwarding - Check if the parameter DisableForwarding is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90197-5
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_forwarding
- name: Disable SSH Forwarding - Check if the parameter DisableForwarding is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+yes$
register: _sshd_config_correctly
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90197-5
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_forwarding
- name: Disable SSH Forwarding
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter DisableForwarding is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "DisableForwarding"| regex_escape }}\s+
line: DisableForwarding yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90197-5
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_forwarding
- name: Disable SSH Forwarding - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_forwarding | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90197-5
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_forwarding
- name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255135 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_gssapi_auth | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90808-7
- DISA-STIG-RHEL-09-255135
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication - Check if the parameter GSSAPIAuthentication is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+no$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255135 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_gssapi_auth | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90808-7
- DISA-STIG-RHEL-09-255135
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter GSSAPIAuthentication is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
line: GSSAPIAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255135 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_gssapi_auth | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90808-7
- DISA-STIG-RHEL-09-255135
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255135 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_gssapi_auth | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90808-7
- DISA-STIG-RHEL-09-255135
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255145 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_rhosts | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90797-2
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255145
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Support for .rhosts Files - Check if the parameter IgnoreRhosts is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+yes$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255145 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_rhosts | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90797-2
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255145
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Support for .rhosts Files
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter IgnoreRhosts is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
line: IgnoreRhosts yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255145 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_rhosts | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90797-2
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255145
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Support for .rhosts Files - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255145 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_rhosts | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90797-2
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255145
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
- name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255045 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_root_login | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90800-4
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255045
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login - Check if the parameter PermitRootLogin is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+no$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255045 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_root_login | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90800-4
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255045
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter PermitRootLogin is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
line: PermitRootLogin no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255045 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_root_login | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90800-4
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255045
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255045 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_disable_root_login | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90800-4
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255045
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255085 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_do_not_permit_user_env | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90803-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255085
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Do Not Allow SSH Environment Options - Check if the parameter PermitUserEnvironment is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+no$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255085 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_do_not_permit_user_env | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90803-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255085
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Do Not Allow SSH Environment Options
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter PermitUserEnvironment is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
create: true
regexp: (?i)(?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
line: PermitUserEnvironment no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255085 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_do_not_permit_user_env | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90803-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255085
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Do Not Allow SSH Environment Options - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255085 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_do_not_permit_user_env | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90803-8
- CJIS-5.5.6
- DISA-STIG-RHEL-09-255085
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
- name: Enable PAM - Check if the parameter UsePAM is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255050 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_pam | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86722-6
- DISA-STIG-RHEL-09-255050
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_pam
- name: Enable PAM - Check if the parameter UsePAM is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+yes$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255050 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_pam | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86722-6
- DISA-STIG-RHEL-09-255050
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_pam
- name: Enable PAM
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter UsePAM is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "UsePAM"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "UsePAM"| regex_escape }}\s+
line: UsePAM yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255050 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_pam | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-86722-6
- DISA-STIG-RHEL-09-255050
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_pam
- name: Enable PAM - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255050 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_pam | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86722-6
- DISA-STIG-RHEL-09-255050
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_pam
- name: Enable SSH Warning Banner - Check if the parameter Banner is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_warning_banner_net | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87979-1
- CJIS-5.5.6
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner_net
- name: Enable SSH Warning Banner - Check if the parameter Banner is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+/etc/issue.net$
register: _sshd_config_correctly
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_warning_banner_net | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87979-1
- CJIS-5.5.6
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner_net
- name: Enable SSH Warning Banner
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "Banner"| regex_escape }}\s+
line: Banner /etc/issue.net
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_warning_banner_net | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-87979-1
- CJIS-5.5.6
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner_net
- name: Enable SSH Warning Banner - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_enable_warning_banner_net | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87979-1
- CJIS-5.5.6
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner_net
- name: Ensure SSH LoginGraceTime is configured - Check if the parameter LoginGraceTime is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_login_grace_time | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86552-7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_login_grace_time
- name: Ensure SSH LoginGraceTime is configured - Check if the parameter LoginGraceTime is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+{{ var_sshd_set_login_grace_time }}$
register: _sshd_config_correctly
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_login_grace_time | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86552-7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_login_grace_time
- name: Ensure SSH LoginGraceTime is configured
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter LoginGraceTime is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "LoginGraceTime"| regex_escape }}\s+
line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_login_grace_time | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-86552-7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_login_grace_time
- name: Ensure SSH LoginGraceTime is configured - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_login_grace_time | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86552-7
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_login_grace_time
- name: Set SSH Daemon LogLevel to VERBOSE - Check if the parameter LogLevel is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- DISA_STIG_RHEL_09_255030 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_loglevel_verbose | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86923-0
- DISA-STIG-RHEL-09-255030
- NIST-800-53-AC-17(1)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_verbose
- name: Set SSH Daemon LogLevel to VERBOSE - Check if the parameter LogLevel is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+VERBOSE$
register: _sshd_config_correctly
when:
- DISA_STIG_RHEL_09_255030 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_loglevel_verbose | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86923-0
- DISA-STIG-RHEL-09-255030
- NIST-800-53-AC-17(1)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_verbose
- name: Set SSH Daemon LogLevel to VERBOSE
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter LogLevel is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "LogLevel"| regex_escape }}\s+
line: LogLevel VERBOSE
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- DISA_STIG_RHEL_09_255030 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_loglevel_verbose | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-86923-0
- DISA-STIG-RHEL-09-255030
- NIST-800-53-AC-17(1)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_verbose
- name: Set SSH Daemon LogLevel to VERBOSE - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- DISA_STIG_RHEL_09_255030 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_loglevel_verbose | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86923-0
- DISA-STIG-RHEL-09-255030
- NIST-800-53-AC-17(1)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_verbose
- name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_auth_tries | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90810-3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH authentication attempt limit - Check if the parameter MaxAuthTries is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+{{ sshd_max_auth_tries_value }}$
register: _sshd_config_correctly
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_auth_tries | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90810-3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH authentication attempt limit
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter MaxAuthTries is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "MaxAuthTries"| regex_escape }}\s+
line: MaxAuthTries {{ sshd_max_auth_tries_value }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_auth_tries | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-90810-3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH authentication attempt limit - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_auth_tries | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90810-3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
- name: Set SSH MaxSessions limit - Check if the parameter MaxSessions is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_sessions | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84103-1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_sessions
- name: Set SSH MaxSessions limit - Check if the parameter MaxSessions is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+{{ var_sshd_max_sessions }}$
register: _sshd_config_correctly
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_sessions | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84103-1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_sessions
- name: Set SSH MaxSessions limit
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter MaxSessions is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "MaxSessions"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "MaxSessions"| regex_escape }}\s+
line: MaxSessions {{ var_sshd_max_sessions }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_sessions | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-84103-1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_sessions
- name: Set SSH MaxSessions limit - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_max_sessions | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84103-1
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_max_sessions
- name: Ensure SSH MaxStartups is configured - Check if the parameter MaxStartups is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_maxstartups | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87872-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_maxstartups
- name: Ensure SSH MaxStartups is configured - Check if the parameter MaxStartups is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+{{ var_sshd_set_maxstartups }}$
register: _sshd_config_correctly
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_maxstartups | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87872-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_maxstartups
- name: Ensure SSH MaxStartups is configured
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter MaxStartups is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "MaxStartups"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "MaxStartups"| regex_escape }}\s+
line: MaxStartups {{ var_sshd_set_maxstartups }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_maxstartups | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-87872-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_maxstartups
- name: Ensure SSH MaxStartups is configured - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_set_maxstartups | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87872-8
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_maxstartups
- name: Use Only Strong Key Exchange algorithms - Check if the parameter KexAlgorithms is configured
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+
register: _sshd_config_has_parameter
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_use_strong_kex | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86768-9
- PCI-DSS-Req-2.3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_use_strong_kex
- name: Use Only Strong Key Exchange algorithms - Check if the parameter KexAlgorithms is configured correctly
ansible.builtin.find:
paths:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d
contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+{{ sshd_strong_kex }}$
register: _sshd_config_correctly
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_use_strong_kex | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86768-9
- PCI-DSS-Req-2.3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_use_strong_kex
- name: Use Only Strong Key Exchange algorithms
block:
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: false
regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+
state: absent
- name: Check if /etc/ssh/sshd_config.d exists
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: _etc_ssh_sshd_config_d_exists
- name: Check if the parameter KexAlgorithms is present in /etc/ssh/sshd_config.d
ansible.builtin.find:
paths: /etc/ssh/sshd_config.d
recurse: 'yes'
follow: 'no'
contains: (?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+
register: _etc_ssh_sshd_config_d_has_parameter
when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
- name: Remove parameter from files in /etc/ssh/sshd_config.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
create: false
regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+
state: absent
with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
when: _etc_ssh_sshd_config_d_has_parameter.matched
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "KexAlgorithms"| regex_escape }}\s+
line: KexAlgorithms {{ sshd_strong_kex }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_use_strong_kex | bool
- '"kernel-core" in ansible_facts.packages'
- _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1
tags:
- CCE-86768-9
- PCI-DSS-Req-2.3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_use_strong_kex
- name: Use Only Strong Key Exchange algorithms - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ansible.builtin.file:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
mode: '0600'
state: touch
modification_time: preserve
access_time: preserve
when:
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- sshd_use_strong_kex | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86768-9
- PCI-DSS-Req-2.3
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_use_strong_kex
- name: Switch to multi-user runlevel
ansible.builtin.file:
src: /usr/lib/systemd/system/multi-user.target
dest: /etc/systemd/system/default.target
state: link
force: true
when:
- DISA_STIG_RHEL_09_211030 | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- xwindows_runlevel_target | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-84105-6
- DISA-STIG-RHEL-09-211030
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- xwindows_runlevel_target
- name: Check if audit argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when:
- DISA_STIG_RHEL_09_212055 | bool
- grub2_audit_argument | bool
- low_disruption | bool
- low_severity | bool
- medium_complexity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-83651-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-212055
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-10
- NIST-800-53-AU-14(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- PCI-DSS-Req-10.3
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if audit argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_212055 | bool
- grub2_audit_argument | bool
- low_disruption | bool
- low_severity | bool
- medium_complexity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-83651-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-212055
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-10
- NIST-800-53-AU-14(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- PCI-DSS-Req-10.3
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit=1"
when:
- DISA_STIG_RHEL_09_212055 | bool
- grub2_audit_argument | bool
- low_disruption | bool
- low_severity | bool
- medium_complexity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
- (grubby_info.stdout is not search('audit=1')) or ((etc_default_grub['content'] | b64decode) is not search('audit=1'))
tags:
- CCE-83651-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-212055
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-10
- NIST-800-53-AU-14(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- PCI-DSS-Req-10.3
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if audit_backlog_limit argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when:
- DISA_STIG_RHEL_09_653120 | bool
- grub2_audit_backlog_limit_argument | bool
- low_disruption | bool
- low_severity | bool
- medium_complexity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-83652-8
- DISA-STIG-RHEL-09-653120
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if audit_backlog_limit argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when:
- DISA_STIG_RHEL_09_653120 | bool
- grub2_audit_backlog_limit_argument | bool
- low_disruption | bool
- low_severity | bool
- medium_complexity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
tags:
- CCE-83652-8
- DISA-STIG-RHEL-09-653120
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit={{ var_audit_backlog_limit }}"
when:
- DISA_STIG_RHEL_09_653120 | bool
- grub2_audit_backlog_limit_argument | bool
- low_disruption | bool
- low_severity | bool
- medium_complexity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"kernel-core" in ansible_facts.packages'
- '"grub2-common" in ansible_facts.packages'
- (grubby_info.stdout is not search('audit_backlog_limit=' ~ var_audit_backlog_limit)) or ((etc_default_grub['content']
| b64decode) is not search('audit_backlog_limit=' ~ var_audit_backlog_limit))
tags:
- CCE-83652-8
- DISA-STIG-RHEL-09-653120
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Make the auditd Configuration Immutable - Collect all files from /etc/audit/rules.d with .rules extension
ansible.builtin.find:
paths: /etc/audit/rules.d/
patterns: '*.rules'
register: find_rules_d
when:
- DISA_STIG_RHEL_09_654275 | bool
- audit_rules_immutable | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83716-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654275
- NIST-800-171-3.3.1
- NIST-800-171-3.4.3
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- audit_rules_immutable
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Make the auditd Configuration Immutable - Check if target files exist and get their content
ansible.builtin.stat:
path: '{{ item }}'
register: audit_files_stat
loop:
- /etc/audit/audit.rules
- /etc/audit/rules.d/immutable.rules
when:
- DISA_STIG_RHEL_09_654275 | bool
- audit_rules_immutable | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83716-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654275
- NIST-800-171-3.3.1
- NIST-800-171-3.4.3
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- audit_rules_immutable
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Make the auditd Configuration Immutable - Read content of existing audit files
ansible.builtin.slurp:
src: '{{ item.item }}'
register: audit_files_content
loop: '{{ audit_files_stat.results }}'
when:
- DISA_STIG_RHEL_09_654275 | bool
- audit_rules_immutable | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- item.stat.exists
tags:
- CCE-83716-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654275
- NIST-800-171-3.3.1
- NIST-800-171-3.4.3
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- audit_rules_immutable
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Make the auditd Configuration Immutable - Check if -e 2 is already correctly set in target files
ansible.builtin.set_fact:
immutable_correctly_set: "{{\n audit_files_content.results\n | selectattr('content', 'defined')\n | map(attribute='content')\n\
\ | map('b64decode')\n | select('search', '^-e 2$', multiline=True)\n | list\n | length == 2\n}}"
when:
- DISA_STIG_RHEL_09_654275 | bool
- audit_rules_immutable | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83716-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654275
- NIST-800-171-3.3.1
- NIST-800-171-3.4.3
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- audit_rules_immutable
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Make the auditd Configuration Immutable - Remove any existing -e option from all Audit config files
ansible.builtin.lineinfile:
path: '{{ item }}'
regexp: ^\s*-e\s+.*$
state: absent
loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}'
when:
- DISA_STIG_RHEL_09_654275 | bool
- audit_rules_immutable | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not immutable_correctly_set
tags:
- CCE-83716-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654275
- NIST-800-171-3.3.1
- NIST-800-171-3.4.3
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- audit_rules_immutable
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Make the auditd Configuration Immutable - Ensure target directories exist
ansible.builtin.file:
path: '{{ item | dirname }}'
state: directory
mode: '0750'
loop:
- /etc/audit/audit.rules
- /etc/audit/rules.d/immutable.rules
when:
- DISA_STIG_RHEL_09_654275 | bool
- audit_rules_immutable | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not immutable_correctly_set
tags:
- CCE-83716-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654275
- NIST-800-171-3.3.1
- NIST-800-171-3.4.3
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- audit_rules_immutable
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Make the auditd Configuration Immutable - Add Audit -e 2 option to make rules immutable
ansible.builtin.lineinfile:
path: '{{ item }}'
create: true
line: -e 2
regexp: ^\s*-e\s+.*$
mode: g-rwx,o-rwx
loop:
- /etc/audit/audit.rules
- /etc/audit/rules.d/immutable.rules
when:
- DISA_STIG_RHEL_09_654275 | bool
- audit_rules_immutable | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not immutable_correctly_set
tags:
- CCE-83716-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654275
- NIST-800-171-3.3.1
- NIST-800-171-3.4.3
- NIST-800-53-AC-6(9)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.2
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.2
- audit_rules_immutable
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_mac_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83721-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_mac_modification
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls - Search /etc/audit/rules.d for other rules with
specified key MAC-policy
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)MAC-policy$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_mac_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83721-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_mac_modification
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls - Use /etc/audit/rules.d/MAC-policy.rules as the
recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/MAC-policy.rules
when:
- audit_rules_mac_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83721-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_mac_modification
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_mac_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83721-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_mac_modification
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/selinux/ -p wa -k MAC-policy
create: true
mode: '0600'
when:
- audit_rules_mac_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83721-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_mac_modification
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls - Check if watch rule for /etc/selinux/ already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_mac_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83721-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_mac_modification
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls - Add watch rule for /etc/selinux/ in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/selinux/ -p wa -k MAC-policy
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_mac_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83721-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_mac_modification
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/
already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_mac_modification_usr_share | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86343-1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- audit_rules_mac_modification_usr_share
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Search /etc/audit/rules.d for other
rules with specified key MAC-policy
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)MAC-policy$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_mac_modification_usr_share | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86343-1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- audit_rules_mac_modification_usr_share
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use /etc/audit/rules.d/MAC-policy.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/MAC-policy.rules
when:
- audit_rules_mac_modification_usr_share | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86343-1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- audit_rules_mac_modification_usr_share
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Use matched file as the recipient
for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_mac_modification_usr_share | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86343-1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- audit_rules_mac_modification_usr_share
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/
in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /usr/share/selinux/ -p wa -k MAC-policy
create: true
mode: '0600'
when:
- audit_rules_mac_modification_usr_share | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86343-1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- audit_rules_mac_modification_usr_share
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Check if watch rule for /usr/share/selinux/
already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/usr/share/selinux/\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_mac_modification_usr_share | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86343-1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- audit_rules_mac_modification_usr_share
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Mandatory Access Controls in usr/share - Add watch rule for /usr/share/selinux/
in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /usr/share/selinux/ -p wa -k MAC-policy
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_mac_modification_usr_share | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86343-1
- NIST-800-171-3.1.8
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- audit_rules_mac_modification_usr_share
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit mount tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- audit_rules_media_export | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83735-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_media_export
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for mount for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- mount
syscall_grouping: []
- name: Check existence of mount in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/export.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- mount
syscall_grouping: []
- name: Check existence of mount in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_media_export | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83735-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_media_export
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for mount for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- mount
syscall_grouping: []
- name: Check existence of mount in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/export.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/export.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- mount
syscall_grouping: []
- name: Check existence of mount in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=export
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_media_export | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83735-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_media_export
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Remediate audit rules for network configuration for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- sethostname
- setdomainname
syscall_grouping:
- sethostname
- setdomainname
- name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in
/etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified
key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue already exists in
/etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified
key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/issue.net already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/issue.net in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in
/etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified
key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/hosts already exists in
/etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/hosts in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already
exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Search /etc/audit/rules.d for other rules with specified
key audit_rules_networkconfig_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Check if watch rule for /etc/sysconfig/network already
exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83706-2
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_networkconfig_modification
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/hostname - Check if watch rule for /etc/hostname
already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/hostname\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_networkconfig_modification_hostname_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86603-8
- audit_rules_networkconfig_modification_hostname_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/hostname - Search /etc/audit/rules.d for other rules
with specified key audit_rules_networkconfig_modification_hostname_file
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_hostname_file$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_networkconfig_modification_hostname_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86603-8
- audit_rules_networkconfig_modification_hostname_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/hostname - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_hostname_file.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification_hostname_file.rules
when:
- audit_rules_networkconfig_modification_hostname_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86603-8
- audit_rules_networkconfig_modification_hostname_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/hostname - Use matched file as the recipient for
the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_networkconfig_modification_hostname_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86603-8
- audit_rules_networkconfig_modification_hostname_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/hostname - Add watch rule for /etc/hostname in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/hostname -p wa -k audit_rules_networkconfig_modification_hostname_file
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification_hostname_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86603-8
- audit_rules_networkconfig_modification_hostname_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/hostname - Check if watch rule for /etc/hostname
already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/hostname\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_networkconfig_modification_hostname_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86603-8
- audit_rules_networkconfig_modification_hostname_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/hostname - Add watch rule for /etc/hostname in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/hostname -p wa -k audit_rules_networkconfig_modification_hostname_file
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification_hostname_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86603-8
- audit_rules_networkconfig_modification_hostname_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Check if watch rule
for /etc/sysconfig/network-scripts already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_networkconfig_modification_network_scripts | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86940-4
- audit_rules_networkconfig_modification_network_scripts
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Search /etc/audit/rules.d
for other rules with specified key audit_rules_networkconfig_modification_network_scripts
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_network_scripts$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_networkconfig_modification_network_scripts | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86940-4
- audit_rules_networkconfig_modification_network_scripts
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification_network_scripts.rules
when:
- audit_rules_networkconfig_modification_network_scripts | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86940-4
- audit_rules_networkconfig_modification_network_scripts
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Use matched file as
the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_networkconfig_modification_network_scripts | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86940-4
- audit_rules_networkconfig_modification_network_scripts
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Add watch rule for /etc/sysconfig/network-scripts
in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification_network_scripts | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86940-4
- audit_rules_networkconfig_modification_network_scripts
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Check if watch rule
for /etc/sysconfig/network-scripts already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sysconfig/network-scripts\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_networkconfig_modification_network_scripts | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86940-4
- audit_rules_networkconfig_modification_network_scripts
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/sysconfig/network-scripts - Add watch rule for /etc/sysconfig/network-scripts
in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification_network_scripts | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86940-4
- audit_rules_networkconfig_modification_network_scripts
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Check if watch rule for /etc/NetworkManager
already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/NetworkManager\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_networkconfig_modification_networkmanager | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86481-9
- audit_rules_networkconfig_modification_networkmanager
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Search /etc/audit/rules.d for
other rules with specified key audit_rules_networkconfig_modification_networkmanager
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification_networkmanager$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_networkconfig_modification_networkmanager | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86481-9
- audit_rules_networkconfig_modification_networkmanager
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Use /etc/audit/rules.d/audit_rules_networkconfig_modification_networkmanager.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_networkconfig_modification_networkmanager.rules
when:
- audit_rules_networkconfig_modification_networkmanager | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86481-9
- audit_rules_networkconfig_modification_networkmanager
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Use matched file as the recipient
for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_networkconfig_modification_networkmanager | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86481-9
- audit_rules_networkconfig_modification_networkmanager
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Add watch rule for /etc/NetworkManager
in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/NetworkManager -p wa -k audit_rules_networkconfig_modification_networkmanager
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification_networkmanager | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86481-9
- audit_rules_networkconfig_modification_networkmanager
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Check if watch rule for /etc/NetworkManager
already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/NetworkManager\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_networkconfig_modification_networkmanager | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86481-9
- audit_rules_networkconfig_modification_networkmanager
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify the System's Network Environment - /etc/NetworkManager/ - Add watch rule for /etc/NetworkManager
in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/NetworkManager -p wa -k audit_rules_networkconfig_modification_networkmanager
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_networkconfig_modification_networkmanager | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86481-9
- audit_rules_networkconfig_modification_networkmanager
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already
exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_session_events_btmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86198-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp - Search /etc/audit/rules.d for other rules
with specified key session
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)session$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_session_events_btmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86198-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp - Use /etc/audit/rules.d/session.rules as
the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/session.rules
when:
- audit_rules_session_events_btmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86198-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp - Use matched file as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_session_events_btmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86198-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/btmp -p wa -k session
create: true
mode: '0600'
when:
- audit_rules_session_events_btmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86198-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp - Check if watch rule for /var/log/btmp already
exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_session_events_btmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86198-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information btmp - Add watch rule for /var/log/btmp in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/btmp -p wa -k session
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_session_events_btmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86198-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_btmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already
exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_session_events_utmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86202-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp - Search /etc/audit/rules.d for other rules
with specified key session
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)session$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_session_events_utmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86202-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp - Use /etc/audit/rules.d/session.rules as
the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/session.rules
when:
- audit_rules_session_events_utmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86202-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp - Use matched file as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_session_events_utmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86202-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/run/utmp -p wa -k session
create: true
mode: '0600'
when:
- audit_rules_session_events_utmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86202-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp - Check if watch rule for /var/run/utmp already
exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_session_events_utmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86202-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information utmp - Add watch rule for /var/run/utmp in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/run/utmp -p wa -k session
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_session_events_utmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86202-9
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_utmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already
exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_session_events_wtmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86203-7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Search /etc/audit/rules.d for other rules
with specified key session
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)session$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_session_events_wtmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86203-7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use /etc/audit/rules.d/session.rules as
the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/session.rules
when:
- audit_rules_session_events_wtmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86203-7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Use matched file as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_session_events_wtmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86203-7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/wtmp -p wa -k session
create: true
mode: '0600'
when:
- audit_rules_session_events_wtmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86203-7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Check if watch rule for /var/log/wtmp already
exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_session_events_wtmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86203-7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Process and Session Initiation Information wtmp - Add watch rule for /var/log/wtmp in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/wtmp -p wa -k session
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_session_events_wtmp | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86203-7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-12.1(iv)
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_session_events_wtmp
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check the rules script being used
ansible.builtin.command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
register: check_rules_scripts_result
changed_when: false
failed_when: false
when:
- audit_rules_suid_auid_privilege_function | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86368-8
- audit_rules_suid_auid_privilege_function
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set suid_audit_rules fact
ansible.builtin.set_fact:
suid_audit_rules:
- rule: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation
regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
- rule: -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation
regex: ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+-S[\s]+execve[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
when:
- audit_rules_suid_auid_privilege_function | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86368-8
- audit_rules_suid_auid_privilege_function
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Update /etc/audit/rules.d/user_emulation.rules to audit privileged functions
ansible.builtin.lineinfile:
path: /etc/audit/rules.d/user_emulation.rules
line: '{{ item.rule }}'
regexp: '{{ item.regex }}'
create: true
when:
- audit_rules_suid_auid_privilege_function | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- '"auditd.service" in ansible_facts.services'
- '"augenrules" in check_rules_scripts_result.stdout'
register: augenrules_audit_rules_privilege_function_update_result
with_items: '{{ suid_audit_rules }}'
tags:
- CCE-86368-8
- audit_rules_suid_auid_privilege_function
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Update Update /etc/audit/audit.rules to audit privileged functions
ansible.builtin.lineinfile:
path: /etc/audit/audit.rules
line: '{{ item.rule }}'
regexp: '{{ item.regex }}'
create: true
when:
- audit_rules_suid_auid_privilege_function | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- '"auditd.service" in ansible_facts.services'
- '"auditctl" in check_rules_scripts_result.stdout'
register: auditctl_audit_rules_privilege_function_update_result
with_items: '{{ suid_audit_rules }}'
tags:
- CCE-86368-8
- audit_rules_suid_auid_privilege_function
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Restart Auditd
ansible.builtin.command: /usr/sbin/service auditd restart
when:
- audit_rules_suid_auid_privilege_function | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
- ansible_facts.services["auditd.service"].state == "running"
tags:
- CCE-86368-8
- audit_rules_suid_auid_privilege_function
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/sudoers -p wa -k actions
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key
actions
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)actions$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/actions.rules
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sudoers -p wa -k actions
create: true
mode: '0600'
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/sudoers.d/ -p wa -k actions
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Search /etc/audit/rules.d for other rules with specified key
actions
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)actions$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use /etc/audit/rules.d/actions.rules as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/actions.rules
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects System Administrator Actions - Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/sudoers.d/ -p wa -k actions
create: true
mode: '0600'
when:
- audit_rules_sysadmin_actions | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83729-4
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(7)(b)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_sysadmin_actions
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- DISA_STIG_RHEL_09_654225 | bool
- audit_rules_usergroup_modification_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83722-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654225
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Search /etc/audit/rules.d for other rules with specified
key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- DISA_STIG_RHEL_09_654225 | bool
- audit_rules_usergroup_modification_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83722-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654225
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- DISA_STIG_RHEL_09_654225 | bool
- audit_rules_usergroup_modification_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83722-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654225
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- DISA_STIG_RHEL_09_654225 | bool
- audit_rules_usergroup_modification_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83722-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654225
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654225 | bool
- audit_rules_usergroup_modification_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83722-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654225
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Check if watch rule for /etc/group already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/group\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- DISA_STIG_RHEL_09_654225 | bool
- audit_rules_usergroup_modification_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83722-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654225
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/group - Add watch rule for /etc/group in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654225 | bool
- audit_rules_usergroup_modification_group | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83722-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654225
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_group
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- DISA_STIG_RHEL_09_654230 | bool
- audit_rules_usergroup_modification_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83723-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654230
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Search /etc/audit/rules.d for other rules with specified
key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- DISA_STIG_RHEL_09_654230 | bool
- audit_rules_usergroup_modification_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83723-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654230
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- DISA_STIG_RHEL_09_654230 | bool
- audit_rules_usergroup_modification_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83723-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654230
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- DISA_STIG_RHEL_09_654230 | bool
- audit_rules_usergroup_modification_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83723-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654230
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654230 | bool
- audit_rules_usergroup_modification_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83723-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654230
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Check if watch rule for /etc/gshadow already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/gshadow\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- DISA_STIG_RHEL_09_654230 | bool
- audit_rules_usergroup_modification_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83723-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654230
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/gshadow - Add watch rule for /etc/gshadow in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654230 | bool
- audit_rules_usergroup_modification_gshadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83723-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654230
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_gshadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Check if watch rule for /etc/nsswitch.conf
already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/nsswitch.conf\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_usergroup_modification_nsswitch_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86213-6
- audit_rules_usergroup_modification_nsswitch_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Search /etc/audit/rules.d for other rules
with specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_usergroup_modification_nsswitch_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86213-6
- audit_rules_usergroup_modification_nsswitch_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- audit_rules_usergroup_modification_nsswitch_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86213-6
- audit_rules_usergroup_modification_nsswitch_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Use matched file as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_usergroup_modification_nsswitch_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86213-6
- audit_rules_usergroup_modification_nsswitch_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Add watch rule for /etc/nsswitch.conf in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/nsswitch.conf -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- audit_rules_usergroup_modification_nsswitch_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86213-6
- audit_rules_usergroup_modification_nsswitch_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Check if watch rule for /etc/nsswitch.conf
already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/nsswitch.conf\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_usergroup_modification_nsswitch_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86213-6
- audit_rules_usergroup_modification_nsswitch_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/nsswitch.conf - Add watch rule for /etc/nsswitch.conf in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/nsswitch.conf -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_usergroup_modification_nsswitch_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86213-6
- audit_rules_usergroup_modification_nsswitch_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd
already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- DISA_STIG_RHEL_09_654235 | bool
- audit_rules_usergroup_modification_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83712-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654235
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Search /etc/audit/rules.d for other rules
with specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- DISA_STIG_RHEL_09_654235 | bool
- audit_rules_usergroup_modification_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83712-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654235
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- DISA_STIG_RHEL_09_654235 | bool
- audit_rules_usergroup_modification_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83712-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654235
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Use matched file as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- DISA_STIG_RHEL_09_654235 | bool
- audit_rules_usergroup_modification_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83712-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654235
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd
in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654235 | bool
- audit_rules_usergroup_modification_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83712-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654235
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Check if watch rule for /etc/security/opasswd
already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/security/opasswd\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- DISA_STIG_RHEL_09_654235 | bool
- audit_rules_usergroup_modification_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83712-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654235
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/security/opasswd - Add watch rule for /etc/security/opasswd
in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654235 | bool
- audit_rules_usergroup_modification_opasswd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83712-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654235
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_opasswd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.conf - Check if watch rule for /etc/pam.conf already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/pam.conf\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_usergroup_modification_pam_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86212-8
- audit_rules_usergroup_modification_pam_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.conf - Search /etc/audit/rules.d for other rules with
specified key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_usergroup_modification_pam_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86212-8
- audit_rules_usergroup_modification_pam_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.conf - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- audit_rules_usergroup_modification_pam_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86212-8
- audit_rules_usergroup_modification_pam_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.conf - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_usergroup_modification_pam_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86212-8
- audit_rules_usergroup_modification_pam_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.conf - Add watch rule for /etc/pam.conf in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- audit_rules_usergroup_modification_pam_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86212-8
- audit_rules_usergroup_modification_pam_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.conf - Check if watch rule for /etc/pam.conf already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/pam.conf\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_usergroup_modification_pam_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86212-8
- audit_rules_usergroup_modification_pam_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.conf - Add watch rule for /etc/pam.conf in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_usergroup_modification_pam_conf | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86212-8
- audit_rules_usergroup_modification_pam_conf
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Check if watch rule for /etc/pam.d/ already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/pam.d/\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_usergroup_modification_pamd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86211-0
- audit_rules_usergroup_modification_pamd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Search /etc/audit/rules.d for other rules with specified
key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_usergroup_modification_pamd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86211-0
- audit_rules_usergroup_modification_pamd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- audit_rules_usergroup_modification_pamd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86211-0
- audit_rules_usergroup_modification_pamd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_usergroup_modification_pamd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86211-0
- audit_rules_usergroup_modification_pamd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Add watch rule for /etc/pam.d/ in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/pam.d/ -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- audit_rules_usergroup_modification_pamd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86211-0
- audit_rules_usergroup_modification_pamd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Check if watch rule for /etc/pam.d/ already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/pam.d/\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_usergroup_modification_pamd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86211-0
- audit_rules_usergroup_modification_pamd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/pam.d/ - Add watch rule for /etc/pam.d/ in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/pam.d/ -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_usergroup_modification_pamd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86211-0
- audit_rules_usergroup_modification_pamd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- DISA_STIG_RHEL_09_654240 | bool
- audit_rules_usergroup_modification_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83714-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654240
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Search /etc/audit/rules.d for other rules with specified
key audit_rules_usergroup_modification_passwd
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification_passwd$
patterns: '*.rules'
register: find_watch_key
when:
- DISA_STIG_RHEL_09_654240 | bool
- audit_rules_usergroup_modification_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83714-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654240
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Use /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification_passwd.rules
when:
- DISA_STIG_RHEL_09_654240 | bool
- audit_rules_usergroup_modification_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83714-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654240
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- DISA_STIG_RHEL_09_654240 | bool
- audit_rules_usergroup_modification_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83714-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654240
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654240 | bool
- audit_rules_usergroup_modification_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83714-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654240
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Check if watch rule for /etc/passwd already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/passwd\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- DISA_STIG_RHEL_09_654240 | bool
- audit_rules_usergroup_modification_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83714-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654240
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/passwd - Add watch rule for /etc/passwd in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification_passwd
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654240 | bool
- audit_rules_usergroup_modification_passwd | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83714-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654240
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_passwd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- DISA_STIG_RHEL_09_654245 | bool
- audit_rules_usergroup_modification_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83725-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654245
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Search /etc/audit/rules.d for other rules with specified
key audit_rules_usergroup_modification
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_rules_usergroup_modification$
patterns: '*.rules'
register: find_watch_key
when:
- DISA_STIG_RHEL_09_654245 | bool
- audit_rules_usergroup_modification_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83725-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654245
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Use /etc/audit/rules.d/audit_rules_usergroup_modification.rules
as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_rules_usergroup_modification.rules
when:
- DISA_STIG_RHEL_09_654245 | bool
- audit_rules_usergroup_modification_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83725-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654245
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- DISA_STIG_RHEL_09_654245 | bool
- audit_rules_usergroup_modification_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83725-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654245
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654245 | bool
- audit_rules_usergroup_modification_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83725-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654245
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Check if watch rule for /etc/shadow already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/shadow\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- DISA_STIG_RHEL_09_654245 | bool
- audit_rules_usergroup_modification_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83725-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654245
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Events that Modify User/Group Information - /etc/shadow - Add watch rule for /etc/shadow in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654245 | bool
- audit_rules_usergroup_modification_shadow | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83725-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654245
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.5
- audit_rules_usergroup_modification_shadow
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_sudo_log_events | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86433-0
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_sudo_log_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to perform maintenance activities - Search /etc/audit/rules.d for other rules with specified key maintenance
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)maintenance$
patterns: '*.rules'
register: find_watch_key
when:
- audit_sudo_log_events | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86433-0
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_sudo_log_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to perform maintenance activities - Use /etc/audit/rules.d/maintenance.rules as the recipient for
the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/maintenance.rules
when:
- audit_sudo_log_events | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86433-0
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_sudo_log_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to perform maintenance activities - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_sudo_log_events | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-86433-0
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_sudo_log_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/sudo.log -p wa -k maintenance
create: true
mode: '0600'
when:
- audit_sudo_log_events | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-86433-0
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_sudo_log_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to perform maintenance activities - Check if watch rule for /var/log/sudo.log already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/sudo.log\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_sudo_log_events | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86433-0
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_sudo_log_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to perform maintenance activities - Add watch rule for /var/log/sudo.log in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/sudo.log -p wa -k maintenance
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_sudo_log_events | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-86433-0
- PCI-DSS-Req-10.2.2
- PCI-DSS-Req-10.2.5.b
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_sudo_log_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set the file_groupownership_audit_configuration_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupownership_audit_configuration_newgroup: '0'
when:
- DISA_STIG_RHEL_09_232104 | bool
- configure_strategy | bool
- file_groupownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86446-2
- DISA-STIG-RHEL-09-232104
- configure_strategy
- file_groupownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232104 | bool
- configure_strategy | bool
- file_groupownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86446-2
- DISA-STIG-RHEL-09-232104
- configure_strategy
- file_groupownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
ansible.builtin.file:
path: '{{ item }}'
follow: false
group: '{{ file_groupownership_audit_configuration_newgroup }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232104 | bool
- configure_strategy | bool
- file_groupownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86446-2
- DISA-STIG-RHEL-09-232104
- configure_strategy
- file_groupownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*\.rules$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232104 | bool
- configure_strategy | bool
- file_groupownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86446-2
- DISA-STIG-RHEL-09-232104
- configure_strategy
- file_groupownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$
ansible.builtin.file:
path: '{{ item }}'
follow: false
group: '{{ file_groupownership_audit_configuration_newgroup }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232104 | bool
- configure_strategy | bool
- file_groupownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86446-2
- DISA-STIG-RHEL-09-232104
- configure_strategy
- file_groupownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_ownership_audit_configuration_newown variable if represented by uid
ansible.builtin.set_fact:
file_ownership_audit_configuration_newown: '0'
when:
- DISA_STIG_RHEL_09_232103 | bool
- configure_strategy | bool
- file_ownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86445-4
- DISA-STIG-RHEL-09-232103
- configure_strategy
- file_ownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*audit(\.rules|d\.conf)$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232103 | bool
- configure_strategy | bool
- file_ownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86445-4
- DISA-STIG-RHEL-09-232103
- configure_strategy
- file_ownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/audit/ file(s) matching ^.*audit(\.rules|d\.conf)$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_audit_configuration_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232103 | bool
- configure_strategy | bool
- file_ownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86445-4
- DISA-STIG-RHEL-09-232103
- configure_strategy
- file_ownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex "^.*\.rules$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_232103 | bool
- configure_strategy | bool
- file_ownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86445-4
- DISA-STIG-RHEL-09-232103
- configure_strategy
- file_ownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$
ansible.builtin.file:
path: '{{ item }}'
follow: false
owner: '{{ file_ownership_audit_configuration_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_232103 | bool
- configure_strategy | bool
- file_ownership_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86445-4
- DISA-STIG-RHEL-09-232103
- configure_strategy
- file_ownership_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/audit/ file(s)
ansible.builtin.command: find -P /etc/audit/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex
"^.*audit(\.rules|d\.conf)$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_653110 | bool
- configure_strategy | bool
- file_permissions_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-88002-1
- DISA-STIG-RHEL-09-653110
- NIST-800-53-AU-12 b
- configure_strategy
- file_permissions_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/audit/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_653110 | bool
- configure_strategy | bool
- file_permissions_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-88002-1
- DISA-STIG-RHEL-09-653110
- NIST-800-53-AU-12 b
- configure_strategy
- file_permissions_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /etc/audit/rules.d/ file(s)
ansible.builtin.command: find -P /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended
-regex "^.*\.rules$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_653110 | bool
- configure_strategy | bool
- file_permissions_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-88002-1
- DISA-STIG-RHEL-09-653110
- NIST-800-53-AU-12 b
- configure_strategy
- file_permissions_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /etc/audit/rules.d/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xws,o-xwrt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when:
- DISA_STIG_RHEL_09_653110 | bool
- configure_strategy | bool
- file_permissions_audit_configuration | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-88002-1
- DISA-STIG-RHEL-09-653110
- NIST-800-53-AU-12 b
- configure_strategy
- file_permissions_audit_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Get audit log files
ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf
failed_when: false
changed_when: false
check_mode: false
register: log_file_exists
when:
- DISA_STIG_RHEL_09_653090 | bool
- file_permissions_var_log_audit | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83720-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653090
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- file_permissions_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Parse log file line
ansible.builtin.command: awk -F '=' '/^log_file/ {print $2}' /etc/audit/auditd.conf
register: log_file_line
changed_when: false
check_mode: false
when:
- DISA_STIG_RHEL_09_653090 | bool
- file_permissions_var_log_audit | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- log_file_exists is not skipped and (log_file_exists.stdout | length > 0)
tags:
- CCE-83720-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653090
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- file_permissions_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set default log_file if not set
ansible.builtin.set_fact:
log_file: /var/log/audit/audit.log
when:
- DISA_STIG_RHEL_09_653090 | bool
- file_permissions_var_log_audit | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- (log_file_exists is skipped) or (log_file_exists is undefined) or (log_file_exists.stdout | length == 0)
tags:
- CCE-83720-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653090
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- file_permissions_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set log_file from log_file_line if not set already
ansible.builtin.set_fact:
log_file: '{{ log_file_line.stdout | trim }}'
when:
- DISA_STIG_RHEL_09_653090 | bool
- file_permissions_var_log_audit | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- (log_file_exists is not skipped) and (log_file_line.stdout is defined) and (log_file_line.stdout | length > 0)
tags:
- CCE-83720-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653090
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- file_permissions_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Apply mode to log file
ansible.builtin.file:
path: '{{ log_file }}'
mode: 384
failed_when: false
when:
- DISA_STIG_RHEL_09_653090 | bool
- file_permissions_var_log_audit | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83720-3
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653090
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.1
- file_permissions_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit chmod tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_chmod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83830-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chmod for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_chmod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83830-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chmod for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of chmod in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_chmod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83830-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit chown tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_chown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83812-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chown for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_chown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83812-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for chown for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- chown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of chown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_chown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83812-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_chown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fchmod tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_fchmod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83832-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchmod for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmod in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmod in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_fchmod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83832-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchmod for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmod in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmod
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmod in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_fchmod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83832-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchmod
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fchmodat tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_fchmodat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83822-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchmodat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchmodat for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmodat
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmodat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmodat
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmodat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_fchmodat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83822-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchmodat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchmodat for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmodat
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmodat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchmodat
syscall_grouping:
- chmod
- fchmod
- fchmodat
- name: Check existence of fchmodat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654015 | bool
- audit_rules_dac_modification_fchmodat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83822-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654015
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchmodat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fchown tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_fchown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83829-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchown for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_fchown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83829-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchown for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_fchown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83829-2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fchownat tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_fchownat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83831-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchownat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchownat for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchownat
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchownat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchownat
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchownat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_fchownat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83831-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchownat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fchownat for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchownat
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchownat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fchownat
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of fchownat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_fchownat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83831-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fchownat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fremovexattr tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_fremovexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_fremovexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fremovexattr for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_fremovexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83821-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit fsetxattr tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_fsetxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_fsetxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for fsetxattr for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- fsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of fsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_fsetxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83817-7
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_fsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lchown tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_lchown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83833-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lchown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lchown for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of lchown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of lchown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_lchown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83833-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lchown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lchown for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of lchown in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lchown
syscall_grouping:
- chown
- fchown
- fchownat
- lchown
- name: Check existence of lchown in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654020 | bool
- audit_rules_dac_modification_lchown | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83833-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654020
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lchown
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lremovexattr tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_lremovexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_lremovexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lremovexattr for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lremovexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lremovexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_lremovexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83814-4
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lremovexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit lsetxattr tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_lsetxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_lsetxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for lsetxattr for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- lsetxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of lsetxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_lsetxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83808-6
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_lsetxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit removexattr tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_removexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_removexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for removexattr for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- removexattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of removexattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_removexattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83807-8
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_removexattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit setxattr tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_setxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_setxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for setxattr for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- setxattr
syscall_grouping:
- fremovexattr
- lremovexattr
- removexattr
- fsetxattr
- lsetxattr
- setxattr
- name: Check existence of setxattr in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid=0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid=0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid=0 -F key=perm_mod
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654025 | bool
- audit_rules_dac_modification_setxattr | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83811-0
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-654025
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.5
- PCI-DSSv4-10.3
- PCI-DSSv4-10.3.4
- audit_rules_dac_modification_setxattr
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Record Any Attempts to Run chacl - Perform remediation of Audit rules for /usr/bin/chacl
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)(
-F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chacl -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chacl
-F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654035 | bool
- audit_rules_execution_chacl | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87685-4
- DISA-STIG-RHEL-09-654035
- audit_rules_execution_chacl
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Any Attempts to Run setfacl - Perform remediation of Audit rules for /usr/bin/setfacl
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)(
-F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/setfacl -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/setfacl
-F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654040 | bool
- audit_rules_execution_setfacl | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90482-1
- DISA-STIG-RHEL-09-654040
- audit_rules_execution_setfacl
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Any Attempts to Run chcon - Perform remediation of Audit rules for /usr/bin/chcon
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)(
-F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/chcon -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon
-F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654045 | bool
- audit_rules_execution_chcon | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83748-4
- DISA-STIG-RHEL-09-654045
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- audit_rules_execution_chcon
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit rename tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_rename | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83754-2
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_rename
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for rename for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- rename
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of rename in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- rename
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of rename in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_rename | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83754-2
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_rename
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for rename for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- rename
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of rename in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- rename
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of rename in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_rename | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83754-2
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_rename
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit renameat tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_renameat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83756-7
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_renameat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for renameat for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- renameat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of renameat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- renameat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of renameat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_renameat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83756-7
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_renameat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for renameat for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- renameat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of renameat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- renameat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of renameat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_renameat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83756-7
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_renameat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit unlink tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_unlink | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83757-5
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_unlink
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for unlink for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlink
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlink in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlink
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlink in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_unlink | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83757-5
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_unlink
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for unlink for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlink
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlink in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlink
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlink in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_unlink | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83757-5
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_unlink
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit unlinkat tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_unlinkat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83755-9
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_unlinkat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for unlinkat for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlinkat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlinkat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlinkat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlinkat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_unlinkat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83755-9
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_unlinkat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for unlinkat for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlinkat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlinkat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/delete.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- unlinkat
syscall_grouping:
- unlink
- unlinkat
- rename
- renameat
- renameat2
- rmdir
- name: Check existence of unlinkat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=delete
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654065 | bool
- audit_rules_file_deletion_events_unlinkat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83755-9
- DISA-STIG-RHEL-09-654065
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.7
- audit_rules_file_deletion_events_unlinkat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit creat tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_creat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_creat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EACCES for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_creat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_creat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for creat EPERM for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- creat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of creat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_creat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83786-4
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_creat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit ftruncate tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_ftruncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_ftruncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_ftruncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_ftruncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for ftruncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- ftruncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of ftruncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_ftruncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83800-3
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_ftruncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit open tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_open | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_open | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EACCES for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_open | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_open | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for open EPERM for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- open
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of open in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_open | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-83801-1
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_open
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit openat tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_openat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_openat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EACCES for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_openat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_openat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for openat EPERM for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- openat
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of openat in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_openat | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83794-8
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_openat
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Set architecture for audit truncate tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_truncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_truncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EACCES for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EACCES -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EACCES -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_truncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_truncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Perform remediation of Audit rules for truncate EPERM for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/access.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/access.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- truncate
syscall_grouping:
- creat
- ftruncate
- truncate
- open
- openat
- open_by_handle_at
- name: Check existence of truncate in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F exit=-EPERM -F auid>=1000 -F
auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
exit=-EPERM -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654070 | bool
- audit_rules_unsuccessful_file_modification_truncate | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- reboot_required | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83792-2
- DISA-STIG-RHEL-09-654070
- NIST-800-171-3.1.7
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.1
- PCI-DSS-Req-10.2.4
- audit_rules_unsuccessful_file_modification_truncate
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Set architecture for audit ['create_module']
tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- audit_rules_kernel_module_loading_create | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-88436-1
- audit_rules_kernel_module_loading_create
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Perform remediation of Audit rules
for ['create_module'] for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- create_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of create_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- create_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of create_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_kernel_module_loading_create | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-88436-1
- audit_rules_kernel_module_loading_create
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Unloading - create_module - Perform remediation of Audit rules
for ['create_module'] for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- create_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of create_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- create_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of create_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_kernel_module_loading_create | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-88436-1
- audit_rules_kernel_module_loading_create
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Set architecture for audit ['delete_module']
tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654075 | bool
- audit_rules_kernel_module_loading_delete | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83802-9
- DISA-STIG-RHEL-09-654075
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_delete
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Perform remediation of Audit rules
for ['delete_module'] for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- delete_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of delete_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- delete_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of delete_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654075 | bool
- audit_rules_kernel_module_loading_delete | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83802-9
- DISA-STIG-RHEL-09-654075
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_delete
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Unloading - delete_module - Perform remediation of Audit rules
for ['delete_module'] for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- delete_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of delete_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- delete_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of delete_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654075 | bool
- audit_rules_kernel_module_loading_delete | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83802-9
- DISA-STIG-RHEL-09-654075
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_delete
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Set architecture for audit
['finit_module'] tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654080 | bool
- audit_rules_kernel_module_loading_finit | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83803-7
- DISA-STIG-RHEL-09-654080
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_finit
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Perform remediation of
Audit rules for ['finit_module'] for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- finit_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of finit_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- finit_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of finit_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654080 | bool
- audit_rules_kernel_module_loading_finit | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83803-7
- DISA-STIG-RHEL-09-654080
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_finit
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module - Perform remediation of
Audit rules for ['finit_module'] for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- finit_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of finit_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- finit_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of finit_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654080 | bool
- audit_rules_kernel_module_loading_finit | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83803-7
- DISA-STIG-RHEL-09-654080
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_finit
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Set architecture for audit ['init_module']
tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- DISA_STIG_RHEL_09_654080 | bool
- audit_rules_kernel_module_loading_init | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-90835-0
- DISA-STIG-RHEL-09-654080
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_init
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Perform remediation of Audit rules for
['init_module'] for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of init_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of init_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654080 | bool
- audit_rules_kernel_module_loading_init | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90835-0
- DISA-STIG-RHEL-09-654080
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_init
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading - init_module - Perform remediation of Audit rules for
['init_module'] for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of init_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- init_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of init_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654080 | bool
- audit_rules_kernel_module_loading_init | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-90835-0
- DISA-STIG-RHEL-09-654080
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.7
- audit_rules_kernel_module_loading_init
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Set architecture for audit
['query_module'] tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- audit_rules_kernel_module_loading_query | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-88749-7
- audit_rules_kernel_module_loading_query
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Perform remediation of
Audit rules for ['query_module'] for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- query_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of query_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- query_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of query_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_kernel_module_loading_query | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
tags:
- CCE-88749-7
- audit_rules_kernel_module_loading_query
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module - Perform remediation of
Audit rules for ['query_module'] for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- query_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of query_module in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/modules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- query_module
syscall_grouping:
- create_module
- delete_module
- finit_module
- init_module
- query_module
- name: Check existence of query_module in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000 -F auid!=unset -F key=modules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_kernel_module_loading_query | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- not ( ansible_architecture == "aarch64" )
- audit_arch == "b64"
tags:
- CCE-88749-7
- audit_rules_kernel_module_loading_query
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir
}} already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- DISA_STIG_RHEL_09_654250 | bool
- audit_rules_login_events_faillock | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83783-1
- DISA-STIG-RHEL-09-654250
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Search /etc/audit/rules.d for other rules with specified
key logins
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)logins$
patterns: '*.rules'
register: find_watch_key
when:
- DISA_STIG_RHEL_09_654250 | bool
- audit_rules_login_events_faillock | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83783-1
- DISA-STIG-RHEL-09-654250
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Use /etc/audit/rules.d/logins.rules as the recipient
for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- DISA_STIG_RHEL_09_654250 | bool
- audit_rules_login_events_faillock | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83783-1
- DISA-STIG-RHEL-09-654250
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- DISA_STIG_RHEL_09_654250 | bool
- audit_rules_login_events_faillock | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83783-1
- DISA-STIG-RHEL-09-654250
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir
}} in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654250 | bool
- audit_rules_login_events_faillock | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83783-1
- DISA-STIG-RHEL-09-654250
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir
}} already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- DISA_STIG_RHEL_09_654250 | bool
- audit_rules_login_events_faillock | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83783-1
- DISA-STIG-RHEL-09-654250
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - faillock - Add watch rule for {{ var_accounts_passwords_pam_faillock_dir
}} in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654250 | bool
- audit_rules_login_events_faillock | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83783-1
- DISA-STIG-RHEL-09-654250
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_faillock
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists
in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- DISA_STIG_RHEL_09_654255 | bool
- audit_rules_login_events_lastlog | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83785-6
- DISA-STIG-RHEL-09-654255
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Search /etc/audit/rules.d for other rules with specified
key logins
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)logins$
patterns: '*.rules'
register: find_watch_key
when:
- DISA_STIG_RHEL_09_654255 | bool
- audit_rules_login_events_lastlog | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83785-6
- DISA-STIG-RHEL-09-654255
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Use /etc/audit/rules.d/logins.rules as the recipient
for the rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/logins.rules
when:
- DISA_STIG_RHEL_09_654255 | bool
- audit_rules_login_events_lastlog | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83785-6
- DISA-STIG-RHEL-09-654255
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- DISA_STIG_RHEL_09_654255 | bool
- audit_rules_login_events_lastlog | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83785-6
- DISA-STIG-RHEL-09-654255
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /var/log/lastlog -p wa -k logins
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654255 | bool
- audit_rules_login_events_lastlog | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83785-6
- DISA-STIG-RHEL-09-654255
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Check if watch rule for /var/log/lastlog already exists
in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- DISA_STIG_RHEL_09_654255 | bool
- audit_rules_login_events_lastlog | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83785-6
- DISA-STIG-RHEL-09-654255
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter Logon and Logout Events - lastlog - Add watch rule for /var/log/lastlog in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /var/log/lastlog -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- DISA_STIG_RHEL_09_654255 | bool
- audit_rules_login_events_lastlog | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83785-6
- DISA-STIG-RHEL-09-654255
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.3
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- PCI-DSSv4-10.2.1.3
- audit_rules_login_events_lastlog
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set List of Mount Points Which Permits Execution
of Privileged Commands
ansible.builtin.set_fact:
privileged_mount_points: '{{ (ansible_facts.mounts | rejectattr(''options'', ''search'', ''noexec|nosuid'') | rejectattr(''mount'',
''match'', ''/proc($|/.*$)'') | map(attribute=''mount'') | list ) }}'
when:
- audit_rules_privileged_commands | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83759-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search for Privileged Commands in Eligible
Mount Points
ansible.builtin.shell:
cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null
register: result_privileged_commands_search
changed_when: false
failed_when: false
with_items: '{{ privileged_mount_points }}'
when:
- audit_rules_privileged_commands | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83759-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set List of Privileged Commands Found in Eligible
Mount Points
ansible.builtin.set_fact:
privileged_commands: '{{ privileged_commands | default([]) + item.stdout_lines }}'
loop: '{{ result_privileged_commands_search.results }}'
when:
- audit_rules_privileged_commands | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- item is not skipped
tags:
- CCE-83759-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged Commands are Present in the System
block:
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for All Privileged Commands
in augenrules Format
ansible.builtin.lineinfile:
path: /etc/audit/rules.d/privileged.rules
line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
regexp: ^.*path={{ item | regex_escape() }} .*$
create: true
with_items:
- '{{ privileged_commands }}'
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for All Privileged Commands
in auditctl Format
ansible.builtin.lineinfile:
path: /etc/audit/audit.rules
line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
regexp: ^.*path={{ item | regex_escape() }} .*$
create: true
with_items:
- '{{ privileged_commands }}'
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search for Duplicated Rules in Other Files
ansible.builtin.find:
paths: /etc/audit/rules.d
recurse: false
contains: ^-a always,exit -F path={{ item }} .*$
patterns: '*.rules'
with_items:
- '{{ privileged_commands }}'
register: result_augenrules_files
- name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for Privileged Commands are
Defined Only in One File
ansible.builtin.lineinfile:
path: '{{ item.1.path }}'
regexp: ^-a always,exit -F path={{ item.0.item }} .*$
state: absent
with_subelements:
- '{{ result_augenrules_files.results }}'
- files
when:
- item.1.path != '/etc/audit/rules.d/privileged.rules'
when:
- audit_rules_privileged_commands | bool
- configure_strategy | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- privileged_commands is defined
tags:
- CCE-83759-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-2(4)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.2.2
- audit_rules_privileged_commands
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure auditd Collects Information on the Use of Privileged Commands - kmod - Perform remediation of Audit rules for
/usr/bin/kmod
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/kmod -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)(
-F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/bin/kmod -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/kmod
-F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654105 | bool
- audit_rules_privileged_commands_kmod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-90262-7
- DISA-STIG-RHEL-09-654105
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12.1(ii)
- NIST-800-53-AU-12.1(iv)AU-12(c)
- NIST-800-53-AU-3
- NIST-800-53-AU-3.1
- NIST-800-53-MA-4(1)(a)
- audit_rules_privileged_commands_kmod
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure auditd Collects Information on the Use of Privileged Commands - usermod - Perform remediation of Audit rules
for /usr/sbin/usermod
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S |,)\w+)+)(
-F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls: []
syscall_grouping: []
- name: Check existence of in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F path=/usr/sbin/usermod -F perm=x -F auid>=1000
-F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/usermod
-F perm=x -F auid>=1000 -F auid!=unset (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- DISA_STIG_RHEL_09_654175 | bool
- audit_rules_privileged_commands_usermod | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-87212-7
- DISA-STIG-RHEL-09-654175
- audit_rules_privileged_commands_usermod
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- audit_rules_time_adjtimex | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83840-9
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_adjtimex
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for adjtimex for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of adjtimex in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of adjtimex in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_time_adjtimex | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83840-9
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_adjtimex
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for adjtimex for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- name: Check existence of adjtimex in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- adjtimex
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of adjtimex in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_time_adjtimex | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83840-9
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_adjtimex
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
ansible.builtin.set_fact:
audit_arch: b64
when:
- audit_rules_time_clock_settime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83837-5
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_clock_settime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for clock_settime for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_time_clock_settime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83837-5
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_clock_settime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for clock_settime for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- clock_settime
syscall_grouping: []
- name: Check existence of clock_settime in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( -F
a0=0x0 (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F key=time-change
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_time_clock_settime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83837-5
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_clock_settime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set architecture for audit tasks
set_fact:
audit_arch: b64
when:
- audit_rules_time_settimeofday | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture
== "s390x" or ansible_architecture == "x86_64"
tags:
- CCE-83836-7
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_settimeofday
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for settimeofday for 32bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_time_settimeofday | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83836-7
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_settimeofday
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform remediation of Audit rules for settimeofday for 64bit platform
block:
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: '*.rules'
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Reset syscalls found per file
ansible.builtin.set_fact:
syscalls_per_file: {}
found_paths_dict: {}
- name: Declare syscalls found per file
ansible.builtin.set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path :[item.item] + syscalls_per_file.get(item.files[0].path,
[]) } ) }}"
loop: '{{ find_command.results | selectattr(''matched'') | list }}'
- name: Declare files where syscalls were found
ansible.builtin.set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten | map(attribute='path')
| list }}"
- name: Count occurrences of syscalls in paths
ansible.builtin.set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item, 0) }) }}"
loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'') | list }}'
- name: Get path with most syscalls
ansible.builtin.set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value') | last).key }}"
when: found_paths | length >= 1
- name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
ansible.builtin.set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
when: found_paths | length == 0
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file] | join("|") }}))\b)((?:( -S
|,)\w+)+)( (?:-k |-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
- name: Declare list of syscalls
ansible.builtin.set_fact:
syscalls:
- settimeofday
syscall_grouping:
- adjtimex
- settimeofday
- stime
- name: Check existence of settimeofday in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit
contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
patterns: audit.rules
register: find_command
loop: '{{ (syscall_grouping + syscalls) | unique }}'
- name: Set path to /etc/audit/audit.rules
ansible.builtin.set_fact: audit_file="/etc/audit/audit.rules"
- name: Declare found syscalls
ansible.builtin.set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item') | list
}}"
- name: Declare missing syscalls
ansible.builtin.set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
- name: Replace the audit rule in {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k
|-F key=)\w+)
line: \1\2\3{{ missing_syscalls | join("\3") }}\4
backrefs: true
state: present
mode: g-rwx,o-rwx
when: syscalls_found | length > 0 and missing_syscalls | length > 0
- name: Add the audit rule to {{ audit_file }}
ansible.builtin.lineinfile:
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
create: true
mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
- audit_rules_time_settimeofday | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- audit_arch == "b64"
tags:
- CCE-83836-7
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_settimeofday
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
patterns: '*.rules'
register: find_existing_watch_rules_d
when:
- audit_rules_time_watch_localtime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83839-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Search /etc/audit/rules.d for other rules with specified key audit_time_rules
ansible.builtin.find:
paths: /etc/audit/rules.d
contains: ^.*(?:-F key=|-k\s+)audit_time_rules$
patterns: '*.rules'
register: find_watch_key
when:
- audit_rules_time_watch_localtime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83839-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the
rule
ansible.builtin.set_fact:
all_files:
- /etc/audit/rules.d/audit_time_rules.rules
when:
- audit_rules_time_watch_localtime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83839-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Use matched file as the recipient for the rule
ansible.builtin.set_fact:
all_files:
- '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
when:
- audit_rules_time_watch_localtime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and
find_existing_watch_rules_d.matched == 0
tags:
- CCE-83839-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/rules.d/
ansible.builtin.lineinfile:
path: '{{ all_files[0] }}'
line: -w /etc/localtime -p wa -k audit_time_rules
create: true
mode: '0600'
when:
- audit_rules_time_watch_localtime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0
tags:
- CCE-83839-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules
ansible.builtin.find:
paths: /etc/audit/
contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
patterns: audit.rules
register: find_existing_watch_audit_rules
when:
- audit_rules_time_watch_localtime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83839-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Record Attempts to Alter the localtime File - Add watch rule for /etc/localtime in /etc/audit/audit.rules
ansible.builtin.lineinfile:
line: -w /etc/localtime -p wa -k audit_time_rules
state: present
dest: /etc/audit/audit.rules
create: true
mode: '0600'
when:
- audit_rules_time_watch_localtime | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0
tags:
- CCE-83839-1
- CJIS-5.4.1.1
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.4.2.b
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.3
- audit_rules_time_watch_localtime
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd Disk Error Action on Disk Error
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
line: disk_error_action = {{ var_auditd_disk_error_action.split('|')[0] }}
regexp: ^\s*disk_error_action\s*=\s*.*$
state: present
create: true
when:
- auditd_data_disk_error_action | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83690-8
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(4)
- NIST-800-53-AU-5(b)
- NIST-800-53-CM-6(a)
- auditd_data_disk_error_action
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd Disk Full Action when Disk Space Is Full
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
line: disk_full_action = {{ var_auditd_disk_full_action.split('|')[0] }}
regexp: ^\s*disk_full_action\s*=\s*.*$
state: present
create: true
when:
- auditd_data_disk_full_action | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83684-1
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(4)
- NIST-800-53-AU-5(b)
- NIST-800-53-CM-6(a)
- auditd_data_disk_full_action
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd mail_acct Action on Low Disk Space - Configure auditd mail_acct Action on Low Disk Space
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
regexp: ^action_mail_acct
line: action_mail_acct = {{ var_auditd_action_mail_acct }}
state: present
create: true
when:
- DISA_STIG_RHEL_09_653070 | bool
- auditd_data_retention_action_mail_acct | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83698-1
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653070
- NIST-800-171-3.3.1
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)
- PCI-DSS-Req-10.7.a
- auditd_data_retention_action_mail_acct
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd admin_space_left Action on Low Disk Space
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
line: admin_space_left_action = {{ var_auditd_admin_space_left_action .split('|')[0] }}
regexp: ^\s*admin_space_left_action\s*=\s*.*$
state: present
create: true
when:
- DISA_STIG_RHEL_09_653050 | bool
- auditd_data_retention_admin_space_left_action | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83700-5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653050
- NIST-800-171-3.3.1
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(4)
- NIST-800-53-AU-5(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.7
- PCI-DSSv4-10.5
- PCI-DSSv4-10.5.1
- auditd_data_retention_admin_space_left_action
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd Max Log File Size
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
regexp: ^\s*max_log_file\s*=\s*.*$
line: max_log_file = {{ var_auditd_max_log_file }}
state: present
create: true
when:
- auditd_data_retention_max_log_file | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83683-3
- CJIS-5.4.1.1
- NIST-800-53-AU-11
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.7
- auditd_data_retention_max_log_file
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
line: max_log_file_action = {{ var_auditd_max_log_file_action }}
regexp: ^\s*max_log_file_action\s*=\s*.*$
state: present
create: true
when:
- auditd_data_retention_max_log_file_action | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83701-3
- CJIS-5.4.1.1
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(4)
- NIST-800-53-AU-5(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.7
- auditd_data_retention_max_log_file_action
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditd space_left Action on Low Disk Space
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
line: space_left_action = {{ var_auditd_space_left_action.split('|')[0] }}
regexp: ^\s*space_left_action\s*=\s*.*$
state: present
create: true
when:
- DISA_STIG_RHEL_09_653040 | bool
- auditd_data_retention_space_left_action | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- restrict_strategy | bool
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83703-9
- CJIS-5.4.1.1
- DISA-STIG-RHEL-09-653040
- NIST-800-171-3.3.1
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(2)
- NIST-800-53-AU-5(4)
- NIST-800-53-AU-5(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.7
- PCI-DSSv4-10.5
- PCI-DSSv4-10.5.1
- auditd_data_retention_space_left_action
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set the file_groupownership_audit_binaries_newgroup variable if represented by gid
ansible.builtin.set_fact:
file_groupownership_audit_binaries_newgroup: '0'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditctl
ansible.builtin.stat:
path: /sbin/auditctl
register: file_exists
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /sbin/auditctl
ansible.builtin.file:
path: /sbin/auditctl
follow: false
group: '{{ file_groupownership_audit_binaries_newgroup }}'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/aureport
ansible.builtin.stat:
path: /sbin/aureport
register: file_exists
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /sbin/aureport
ansible.builtin.file:
path: /sbin/aureport
follow: false
group: '{{ file_groupownership_audit_binaries_newgroup }}'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/ausearch
ansible.builtin.stat:
path: /sbin/ausearch
register: file_exists
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /sbin/ausearch
ansible.builtin.file:
path: /sbin/ausearch
follow: false
group: '{{ file_groupownership_audit_binaries_newgroup }}'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/autrace
ansible.builtin.stat:
path: /sbin/autrace
register: file_exists
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /sbin/autrace
ansible.builtin.file:
path: /sbin/autrace
follow: false
group: '{{ file_groupownership_audit_binaries_newgroup }}'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditd
ansible.builtin.stat:
path: /sbin/auditd
register: file_exists
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /sbin/auditd
ansible.builtin.file:
path: /sbin/auditd
follow: false
group: '{{ file_groupownership_audit_binaries_newgroup }}'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/augenrules
ansible.builtin.stat:
path: /sbin/augenrules
register: file_exists
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /sbin/augenrules
ansible.builtin.file:
path: /sbin/augenrules
follow: false
group: '{{ file_groupownership_audit_binaries_newgroup }}'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/audisp-syslog
ansible.builtin.stat:
path: /sbin/audisp-syslog
register: file_exists
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner on /sbin/audisp-syslog
ansible.builtin.file:
path: /sbin/audisp-syslog
follow: false
group: '{{ file_groupownership_audit_binaries_newgroup }}'
when:
- configure_strategy | bool
- file_groupownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86457-9
- configure_strategy
- file_groupownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set the file_ownership_audit_binaries_newown variable if represented by uid
ansible.builtin.set_fact:
file_ownership_audit_binaries_newown: '0'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditctl
ansible.builtin.stat:
path: /sbin/auditctl
register: file_exists
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /sbin/auditctl
ansible.builtin.file:
path: /sbin/auditctl
follow: false
owner: '{{ file_ownership_audit_binaries_newown }}'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/aureport
ansible.builtin.stat:
path: /sbin/aureport
register: file_exists
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /sbin/aureport
ansible.builtin.file:
path: /sbin/aureport
follow: false
owner: '{{ file_ownership_audit_binaries_newown }}'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/ausearch
ansible.builtin.stat:
path: /sbin/ausearch
register: file_exists
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /sbin/ausearch
ansible.builtin.file:
path: /sbin/ausearch
follow: false
owner: '{{ file_ownership_audit_binaries_newown }}'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/autrace
ansible.builtin.stat:
path: /sbin/autrace
register: file_exists
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /sbin/autrace
ansible.builtin.file:
path: /sbin/autrace
follow: false
owner: '{{ file_ownership_audit_binaries_newown }}'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditd
ansible.builtin.stat:
path: /sbin/auditd
register: file_exists
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /sbin/auditd
ansible.builtin.file:
path: /sbin/auditd
follow: false
owner: '{{ file_ownership_audit_binaries_newown }}'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/augenrules
ansible.builtin.stat:
path: /sbin/augenrules
register: file_exists
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /sbin/augenrules
ansible.builtin.file:
path: /sbin/augenrules
follow: false
owner: '{{ file_ownership_audit_binaries_newown }}'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/audisp-syslog
ansible.builtin.stat:
path: /sbin/audisp-syslog
register: file_exists
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner on /sbin/audisp-syslog
ansible.builtin.file:
path: /sbin/audisp-syslog
follow: false
owner: '{{ file_ownership_audit_binaries_newown }}'
when:
- configure_strategy | bool
- file_ownership_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86454-6
- configure_strategy
- file_ownership_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditctl
ansible.builtin.stat:
path: /sbin/auditctl
register: file_exists
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-s,g-ws,o-wt on /sbin/auditctl
ansible.builtin.file:
path: /sbin/auditctl
mode: u-s,g-ws,o-wt
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/aureport
ansible.builtin.stat:
path: /sbin/aureport
register: file_exists
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-s,g-ws,o-wt on /sbin/aureport
ansible.builtin.file:
path: /sbin/aureport
mode: u-s,g-ws,o-wt
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/ausearch
ansible.builtin.stat:
path: /sbin/ausearch
register: file_exists
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-s,g-ws,o-wt on /sbin/ausearch
ansible.builtin.file:
path: /sbin/ausearch
mode: u-s,g-ws,o-wt
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/autrace
ansible.builtin.stat:
path: /sbin/autrace
register: file_exists
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-s,g-ws,o-wt on /sbin/autrace
ansible.builtin.file:
path: /sbin/autrace
mode: u-s,g-ws,o-wt
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditd
ansible.builtin.stat:
path: /sbin/auditd
register: file_exists
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-s,g-ws,o-wt on /sbin/auditd
ansible.builtin.file:
path: /sbin/auditd
mode: u-s,g-ws,o-wt
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/augenrules
ansible.builtin.stat:
path: /sbin/augenrules
register: file_exists
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-s,g-ws,o-wt on /sbin/augenrules
ansible.builtin.file:
path: /sbin/augenrules
mode: u-s,g-ws,o-wt
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/audisp-syslog
ansible.builtin.stat:
path: /sbin/audisp-syslog
register: file_exists
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-s,g-ws,o-wt on /sbin/audisp-syslog
ansible.builtin.file:
path: /sbin/audisp-syslog
mode: u-s,g-ws,o-wt
when:
- configure_strategy | bool
- file_permissions_audit_binaries | bool
- low_complexity | bool
- low_disruption | bool
- medium_severity | bool
- no_reboot_needed | bool
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86448-8
- configure_strategy
- file_permissions_audit_binaries
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
Reference in New Issue View Git Blame Copy Permalink