| Server IP : 178.212.43.201 / Your IP : 10.100.0.33 Web Server : Apache/2.4.37 (Oracle Linux Server) OpenSSL/1.1.1k System : Linux spa0007.srv.paxillus.pl 5.4.17-2136.355.3.1.el8uek.x86_64 #3 SMP Sat May 9 17:11:55 PDT 2026 x86_64 User : apache ( 48) PHP Version : 7.4.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /usr/share/scap-security-guide/ansible/ |
Upload File : |
---
###############################################################################
#
# Ansible Playbook for Protection Profile for General Purpose Operating Systems
#
# Profile Description:
# This profile reflects mandatory configuration controls identified in the
# NIAP Configuration Annex to the Protection Profile for General Purpose
# Operating Systems (Protection Profile Version 4.2.1).
# This configuration profile is consistent with CNSSI-1253, which requires
# U.S. National Security Systems to adhere to certain configuration
# parameters. Accordingly, this configuration profile is suitable for
# use in U.S. National Security Systems.
#
# Profile ID: xccdf_org.ssgproject.content_profile_ospp
# Benchmark ID: xccdf_org.ssgproject.content_benchmark_OL-8
# Benchmark Version: 0.1.80
# XCCDF Version: 1.2
#
# This file can be generated by OpenSCAP using:
# $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_ospp --fix-type ansible ssg-ol8-ds.xml
#
# This Ansible Playbook is generated from an XCCDF profile without preliminary evaluation.
# It attempts to fix every selected rule, even if the system is already compliant.
#
# How to apply this Ansible Playbook:
# $ ansible-playbook -i "localhost," -c local playbook.yml
# $ ansible-playbook -i "192.168.1.155," playbook.yml
# $ ansible-playbook -i inventory.ini playbook.yml
#
###############################################################################
- name: Ansible Playbook for xccdf_org.ssgproject.content_profile_ospp
hosts: all
vars:
var_system_crypto_policy: FIPS:OSPP
var_authselect_profile: minimal
var_password_pam_unix_remember: '5'
var_accounts_passwords_pam_faillock_deny: '3'
var_accounts_passwords_pam_faillock_fail_interval: '900'
var_accounts_passwords_pam_faillock_unlock_time: '0'
var_password_pam_dcredit: '-1'
var_password_pam_difok: '4'
var_password_pam_lcredit: '-1'
var_password_pam_maxclassrepeat: '4'
var_password_pam_maxrepeat: '3'
var_password_pam_minlen: '12'
var_password_pam_ocredit: '-1'
var_password_pam_ucredit: '-1'
var_accounts_max_concurrent_login_sessions: '10'
var_accounts_user_umask: '027'
sysctl_net_ipv6_conf_all_accept_ra_value: '0'
sysctl_net_ipv6_conf_all_accept_redirects_value: '0'
sysctl_net_ipv6_conf_all_accept_source_route_value: '0'
sysctl_net_ipv6_conf_default_accept_ra_value: '0'
sysctl_net_ipv6_conf_default_accept_redirects_value: '0'
sysctl_net_ipv6_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_accept_redirects_value: '0'
sysctl_net_ipv4_conf_all_accept_source_route_value: '0'
sysctl_net_ipv4_conf_all_log_martians_value: '1'
sysctl_net_ipv4_conf_all_rp_filter_value: '1'
sysctl_net_ipv4_conf_all_secure_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_redirects_value: '0'
sysctl_net_ipv4_conf_default_accept_source_route_value: '0'
sysctl_net_ipv4_conf_default_log_martians_value: '1'
sysctl_net_ipv4_conf_default_rp_filter_value: '1'
sysctl_net_ipv4_conf_default_secure_redirects_value: '0'
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: '1'
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: '1'
sysctl_net_ipv4_tcp_syncookies_value: '1'
sysctl_kernel_kptr_restrict_value: '1'
var_slub_debug_options: P
var_selinux_policy_name: targeted
var_selinux_state: enforcing
var_ssh_client_rekey_limit_size: 1G
var_ssh_client_rekey_limit_time: 1h
sshd_idle_timeout_value: '840'
var_rekey_limit_size: 1G
var_rekey_limit_time: 1h
var_audit_backlog_limit: '8192'
var_auditd_flush: incremental_async
var_auditd_freq: '50'
var_auditd_name_format: hostname
tasks:
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: Ensure aide is installed
ansible.builtin.package:
name: aide
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.3
- DISA-STIG-OL08-00-010359
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_aide_installed
- name: Ensure crypto-policies is installed
ansible.builtin.package:
name: crypto-policies
state: present
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
- name: Ensure sudo is installed
ansible.builtin.package:
name: sudo
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6(a)
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sudo_installed
- name: Ensure gnutls-utils is installed
ansible.builtin.package:
name: gnutls-utils
state: present
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_gnutls-utils_installed
- name: Ensure openscap-scanner is installed
ansible.builtin.package:
name: openscap-scanner
state: present
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_openscap-scanner_installed
- name: Ensure scap-security-guide is installed
ansible.builtin.package:
name: scap-security-guide
state: present
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_scap-security-guide_installed
- name: 'Uninstall abrt-addon-ccpp Package: Ensure abrt-addon-ccpp is removed'
ansible.builtin.package:
name: abrt-addon-ccpp
state: absent
tags:
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_abrt-addon-ccpp_removed
- name: 'Uninstall abrt-addon-kerneloops Package: Ensure abrt-addon-kerneloops is
removed'
ansible.builtin.package:
name: abrt-addon-kerneloops
state: absent
tags:
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_abrt-addon-kerneloops_removed
- name: 'Uninstall abrt-cli Package: Ensure abrt-cli is removed'
ansible.builtin.package:
name: abrt-cli
state: absent
tags:
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_abrt-cli_removed
- name: 'Uninstall abrt-plugin-sosreport Package: Ensure abrt-plugin-sosreport is
removed'
ansible.builtin.package:
name: abrt-plugin-sosreport
state: absent
tags:
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_abrt-plugin-sosreport_removed
- name: 'Uninstall gssproxy Package: Ensure gssproxy is removed'
ansible.builtin.package:
name: gssproxy
state: absent
tags:
- DISA-STIG-OL08-00-040370
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_gssproxy_removed
- name: 'Uninstall iprutils Package: Ensure iprutils is removed'
ansible.builtin.package:
name: iprutils
state: absent
tags:
- DISA-STIG-OL08-00-040380
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_iprutils_removed
- name: 'Uninstall krb5-workstation Package: Ensure krb5-workstation is removed'
ansible.builtin.package:
name: krb5-workstation
state: absent
tags:
- DISA-STIG-OL08-00-010162
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_krb5-workstation_removed
- name: 'Uninstall libreport-plugin-logger Package: Ensure libreport-plugin-logger
is removed'
ansible.builtin.package:
name: libreport-plugin-logger
state: absent
tags:
- DISA-STIG-OL08-00-040001
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_libreport-plugin-logger_removed
- name: 'Uninstall python3-abrt-addon Package: Ensure python3-abrt-addon is removed'
ansible.builtin.package:
name: python3-abrt-addon
state: absent
tags:
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_python3-abrt-addon_removed
- name: Ensure dnf-automatic is installed
ansible.builtin.package:
name: dnf-automatic
state: present
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
- name: Ensure tmux is installed
ansible.builtin.package:
name: tmux
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.10
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_tmux_installed
- name: Ensure rsyslog is installed
ansible.builtin.package:
name: rsyslog
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-030670
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_rsyslog_installed
- name: Ensure firewalld is installed
ansible.builtin.package:
name: firewalld
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040100
- NIST-800-53-CM-6(a)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_firewalld_installed
- name: Ensure policycoreutils-python-utils is installed
ansible.builtin.package:
name: policycoreutils-python-utils
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_policycoreutils-python-utils_installed
- name: Ensure policycoreutils is installed
ansible.builtin.package:
name: policycoreutils
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010171
- enable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_policycoreutils_installed
- name: 'Uninstall Automatic Bug Reporting Tool (abrt): Ensure abrt is removed'
ansible.builtin.package:
name: abrt
state: absent
tags:
- DISA-STIG-OL08-00-040001
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_abrt_removed
- name: Ensure fapolicyd is installed
ansible.builtin.package:
name: fapolicyd
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040135
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(22)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_fapolicyd_installed
- name: 'Uninstall Sendmail Package: Ensure sendmail is removed'
ansible.builtin.package:
name: sendmail
state: absent
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040002
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_sendmail_removed
- name: 'Uninstall nfs-utils Package: Ensure nfs-utils is removed'
ansible.builtin.package:
name: nfs-utils
state: absent
tags:
- disable_strategy
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- package_nfs-utils_removed
- name: Ensure chrony is installed
ansible.builtin.package:
name: chrony
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- PCI-DSS-Req-10.4
- PCI-DSSv4-10.6
- PCI-DSSv4-10.6.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_chrony_installed
- name: Ensure openssh-clients is installed
ansible.builtin.package:
name: openssh-clients
state: present
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_openssh-clients_installed
- name: Ensure openssh-server is installed
ansible.builtin.package:
name: openssh-server
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040159
- NIST-800-53-CM-6(a)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_openssh-server_installed
- name: Ensure usbguard is installed
ansible.builtin.package:
name: usbguard
state: present
when: ( ansible_architecture != "s390x" and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- DISA-STIG-OL08-00-040139
- NIST-800-53-CM-8(3)
- NIST-800-53-IA-3
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_usbguard_installed
- name: Ensure audit is installed
ansible.builtin.package:
name: audit
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-030180
- NIST-800-53-AC-7(a)
- NIST-800-53-AU-12(2)
- NIST-800-53-AU-14
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-7(1)
- NIST-800-53-AU-7(2)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_audit_installed
- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
tags:
- always
- name: Disable debug-shell SystemD Service - Disable service debug-shell
block:
- name: Disable debug-shell SystemD Service - Collect systemd Services Present
in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable debug-shell SystemD Service - Ensure debug-shell.service is Masked
ansible.builtin.systemd:
name: debug-shell.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("debug-shell.service", multiline=True)
- name: Unit Socket Exists - debug-shell.socket
ansible.builtin.command: systemctl -q list-unit-files debug-shell.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable debug-shell SystemD Service - Disable Socket debug-shell
ansible.builtin.systemd:
name: debug-shell.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("debug-shell.socket", multiline=True)
tags:
- DISA-STIG-OL08-00-040180
- NIST-800-171-3.4.5
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_debug-shell_disabled
- special_service_block
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- name: Verify firewalld Enabled - Enable service firewalld
block:
- name: Verify firewalld Enabled - Enable Service firewalld
ansible.builtin.systemd:
name: firewalld
enabled: true
state: started
masked: false
when:
- '"firewalld" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-040101
- NIST-800-171-3.1.3
- NIST-800-171-3.4.7
- NIST-800-53-AC-4
- NIST-800-53-CA-3(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_firewalld_enabled
- special_service_block
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"firewalld" in ansible_facts.packages'
- name: Disable KDump Kernel Crash Analyzer (kdump) - Disable service kdump
block:
- name: Disable KDump Kernel Crash Analyzer (kdump) - Collect systemd Services
Present in the System
ansible.builtin.command: systemctl -q list-unit-files --type service
register: service_exists
changed_when: false
failed_when: service_exists.rc not in [0, 1]
check_mode: false
- name: Disable KDump Kernel Crash Analyzer (kdump) - Ensure kdump.service is
Masked
ansible.builtin.systemd:
name: kdump.service
state: stopped
enabled: false
masked: true
when: service_exists.stdout_lines is search("kdump.service", multiline=True)
- name: Unit Socket Exists - kdump.socket
ansible.builtin.command: systemctl -q list-unit-files kdump.socket
register: socket_file_exists
changed_when: false
failed_when: socket_file_exists.rc not in [0, 1]
check_mode: false
- name: Disable KDump Kernel Crash Analyzer (kdump) - Disable Socket kdump
ansible.builtin.systemd:
name: kdump.socket
enabled: false
state: stopped
masked: true
when: socket_file_exists.stdout_lines is search("kdump.socket", multiline=True)
tags:
- DISA-STIG-OL08-00-010670
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_kdump_disabled
- special_service_block
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- name: Enable the File Access Policy Service - Enable service fapolicyd
block:
- name: Enable the File Access Policy Service - Enable Service fapolicyd
ansible.builtin.systemd:
name: fapolicyd
enabled: true
state: started
masked: false
when:
- '"fapolicyd" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-040136
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(22)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_fapolicyd_enabled
- special_service_block
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- name: Enable the USBGuard Service - Enable service usbguard
block:
- name: Enable the USBGuard Service - Enable Service usbguard
ansible.builtin.systemd:
name: usbguard
enabled: true
state: started
masked: false
when:
- '"usbguard" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-040141
- NIST-800-53-CM-8(3)(a)
- NIST-800-53-IA-3
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_usbguard_enabled
- special_service_block
when: ( ansible_architecture != "s390x" and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- name: Enable auditd Service - Enable service auditd
block:
- name: Enable auditd Service - Enable Service auditd
ansible.builtin.systemd:
name: auditd
enabled: true
state: started
masked: false
when:
- '"audit" in ansible_facts.packages'
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL08-00-030181
- NIST-800-171-3.3.1
- NIST-800-171-3.3.2
- NIST-800-171-3.3.6
- NIST-800-53-AC-2(g)
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-10
- NIST-800-53-AU-12(c)
- NIST-800-53-AU-14(1)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-3
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-4(23)
- PCI-DSS-Req-10.1
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_auditd_enabled
- special_service_block
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"audit" in ansible_facts.packages'
- name: Gather the service facts
ansible.builtin.service_facts: null
tags:
- always
- name: Check to see the current status of FIPS mode
ansible.builtin.command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
failed_when: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( lookup("env", "container")
== "bwrap-osbuild" ) and ("kernel" in ansible_facts.packages or "kernel-uek"
in ansible_facts.packages) )
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- enable_dracut_fips_module
- high_severity
- medium_complexity
- medium_disruption
- reboot_required
- restrict_strategy
- name: Enable FIPS mode
ansible.builtin.command: /usr/bin/fips-mode-setup --enable
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( lookup("env", "container")
== "bwrap-osbuild" ) and ("kernel" in ansible_facts.packages or "kernel-uek"
in ansible_facts.packages) )
- is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- enable_dracut_fips_module
- high_severity
- medium_complexity
- medium_disruption
- reboot_required
- restrict_strategy
- name: Enable Dracut FIPS Module
ansible.builtin.lineinfile:
path: /etc/dracut.conf.d/40-fips.conf
line: add_dracutmodules+=" fips "
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( lookup("env", "container")
== "bwrap-osbuild" ) and ("kernel" in ansible_facts.packages or "kernel-uek"
in ansible_facts.packages) )
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-7
- NIST-800-53-SC-12
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- enable_dracut_fips_module
- high_severity
- medium_complexity
- medium_disruption
- reboot_required
- restrict_strategy
- name: Configure BIND to use System Crypto Policy - Check BIND configuration file
exists
ansible.builtin.stat:
path: /etc/named.conf
register: bind_config_file
when: '"bind" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- configure_bind_crypto_policy
- configure_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- name: Configure BIND to use System Crypto Policy - Aborting remediation, file
not found
ansible.builtin.debug:
msg: Aborting remediation as '/etc/named.conf' was not found.
when:
- '"bind" in ansible_facts.packages'
- not bind_config_file.stat.exists
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- configure_bind_crypto_policy
- configure_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- name: Configure BIND to use System Crypto Policy - Insert crypto-policy into BIND
config
ansible.builtin.lineinfile:
path: /etc/named.conf
insertafter: ^\s*options\s*{
line: ' include "/etc/crypto-policies/back-ends/bind.config";'
state: present
when:
- '"bind" in ansible_facts.packages'
- bind_config_file.stat.exists
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- configure_bind_crypto_policy
- configure_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- name: Configure System Cryptography Policy - Check current crypto policy (runtime)
ansible.builtin.command: /usr/bin/update-crypto-policies --show
register: current_crypto_policy
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Get mtime of /etc/crypto-policies/config
ansible.builtin.stat:
path: /etc/crypto-policies/config
register: config_file_stat
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Get mtime of /etc/crypto-policies/state/current
ansible.builtin.stat:
path: /etc/crypto-policies/state/current
register: current_file_stat
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Check existence of /etc/crypto-policies/back-ends/nss.config
ansible.builtin.stat:
path: /etc/crypto-policies/back-ends/nss.config
register: nss_config_stat
changed_when: false
failed_when: false
check_mode: false
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure System Cryptography Policy - Verify that Crypto Policy is Set
(runtime)
ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy
}}
when: (current_crypto_policy.stdout.strip() != var_system_crypto_policy) or (config_file_stat.stat.exists
and current_file_stat.stat.exists and config_file_stat.stat.mtime > current_file_stat.stat.mtime)
or (not nss_config_stat.stat.exists)
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure Kerberos to use System Crypto Policy
ansible.builtin.file:
src: /etc/crypto-policies/back-ends/krb5.config
path: /etc/krb5.conf.d/crypto-policies
state: link
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- configure_kerberos_crypto_policy
- configure_strategy
- high_severity
- low_complexity
- low_disruption
- reboot_required
- name: Configure Libreswan to use System Crypto Policy
ansible.builtin.lineinfile:
path: /etc/ipsec.conf
line: include /etc/crypto-policies/back-ends/libreswan.config
create: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010020
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_libreswan_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
Section
ansible.builtin.find:
paths: /etc/pki/tls
patterns: openssl.cnf
contains: ^\s*\[\s*crypto_policy\s*]
register: test_crypto_policy_group
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
Section Together With .include Directive
ansible.builtin.find:
paths: /etc/pki/tls
patterns: openssl.cnf
contains: ^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$
register: test_crypto_policy_include_directive
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure OpenSSL library to use System Crypto Policy - Add .include Line
for opensslcnf.config File in crypto_policy Section
ansible.builtin.lineinfile:
create: true
insertafter: ^\s*\[\s*crypto_policy\s*]\s*
line: .include /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.matched > 0
- test_crypto_policy_include_directive.matched == 0
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure OpenSSL library to use System Crypto Policy - Add crypto_policy
Section With .include for opensslcnf.config File
ansible.builtin.lineinfile:
create: true
line: |-
[crypto_policy]
.include /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
when: test_crypto_policy_group.matched == 0
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure SSH to use System Crypto Policy
ansible.builtin.lineinfile:
dest: /etc/sysconfig/sshd
state: absent
regexp: (?i)^\s*CRYPTO_POLICY.*$
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010287
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.7
- configure_ssh_crypto_policy
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Put a file with shell wrapper to configure OpenSSL to always use strong
entropy
copy:
dest: /etc/profile.d/openssl-rand.sh
content: |
# provide a default -rand /dev/random option to openssl commands that
# support it
# written inefficiently for maximum shell compatibility
openssl()
(
openssl_bin=/usr/bin/openssl
case "$*" in
# if user specified -rand, honor it
*\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
esac
cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
for i in `$openssl_bin list -commands`; do
if $openssl_bin list -options "$i" | grep -q '^rand '; then
cmds=" $i $cmds"
fi
done
case "$cmds" in
*\ "$1"\ *)
cmd="$1"; shift
exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
esac
exec $openssl_bin "$@"
)
tags:
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- openssl_use_strong_entropy
- restrict_strategy
- name: Configure dnf-automatic to Install Available Updates Automatically
community.general.ini_file:
dest: /etc/dnf/automatic.conf
section: commands
option: apply_updates
value: 'yes'
create: true
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- dnf-automatic_apply_updates
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure dnf-automatic to Install Only Security Updates
community.general.ini_file:
dest: /etc/dnf/automatic.conf
section: commands
option: upgrade_type
value: security
create: true
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- dnf-automatic_security_updates_only
- low_complexity
- low_severity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Ensure GPG check is globally activated
community.general.ini_file:
dest: /etc/yum.conf
section: main
option: gpgcheck
value: 1
no_extra_spaces: true
create: false
when: '"yum" in ansible_facts.packages'
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- configure_strategy
- ensure_gpgcheck_globally_activated
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Ensure GPG check Enabled for Local Packages (yum)
block:
- name: Check stats of yum
ansible.builtin.stat:
path: /etc/yum.conf
register: pkg
- name: Check if config file of yum is a symlink
ansible.builtin.set_fact:
pkg_config_file_symlink: '{{ pkg.stat.lnk_target if pkg.stat.lnk_target is
match("^/.*") else "/etc/yum.conf" | dirname ~ "/" ~ pkg.stat.lnk_target
}}'
when: pkg.stat.lnk_target is defined
- name: Ensure GPG check Enabled for Local Packages (yum)
community.general.ini_file:
dest: '{{ pkg_config_file_symlink | default("/etc/yum.conf") }}'
section: main
option: localpkg_gpgcheck
value: 1
no_extra_spaces: true
create: true
when: '"yum" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010371
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- ensure_gpgcheck_local_packages
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- unknown_strategy
- name: Grep for yum repo section names
ansible.builtin.shell: |
set -o pipefail
grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
register: repo_grep_results
failed_when: repo_grep_results.rc not in [0, 1]
changed_when: false
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Set gpgcheck=1 for each yum repo
community.general.ini_file:
path: '{{ item[0] }}'
section: '{{ item[1] }}'
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?''
) if repo_grep_results is not skipped else [] }}'
when: repo_grep_results is not skipped
tags:
- CJIS-5.10.4.1
- NIST-800-171-3.4.8
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SA-12
- NIST-800-53-SA-12(10)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- PCI-DSSv4-6.3
- PCI-DSSv4-6.3.3
- enable_strategy
- ensure_gpgcheck_never_disabled
- high_severity
- low_complexity
- medium_disruption
- no_reboot_needed
- name: Ensure Oracle Linux GPG Key Installed - Read GPG key directory permission
ansible.builtin.stat:
path: /etc/pki/rpm-gpg/
register: gpg_key_directory_permission
check_mode: false
tags:
- DISA-STIG-OL08-00-010019
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Retrieve GPG key fingerprints information
ansible.builtin.command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle"
changed_when: false
register: gpg_fingerprints
check_mode: false
tags:
- DISA-STIG-OL08-00-010019
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Set fact for installed fingerprints
ansible.builtin.set_fact:
gpg_installed_fingerprints: |-
{{ gpg_fingerprints.stdout | regex_findall('^pub.*
(?:^fpr[:]*)([0-9A-Fa-f]*)', '\1') | list }}
tags:
- DISA-STIG-OL08-00-010019
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Set fact for valid fingerprints
ansible.builtin.set_fact:
gpg_valid_fingerprints:
- 76FD3DB13AB67410B89DB10E82562EA9AD986DA3
- ''
tags:
- DISA-STIG-OL08-00-010019
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Ensure Oracle Linux GPG Key Installed - Import Oracle GPG key securely
ansible.builtin.rpm_key:
state: present
key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
0
- gpg_installed_fingerprints | length > 0
tags:
- DISA-STIG-OL08-00-010019
- NIST-800-53-CM-11(a)
- NIST-800-53-CM-11(b)
- NIST-800-53-CM-5(3)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12
- NIST-800-53-SC-12(3)
- NIST-800-53-SI-7
- PCI-DSS-Req-6.2
- ensure_oracle_gpgkey_installed
- high_severity
- medium_complexity
- medium_disruption
- no_reboot_needed
- restrict_strategy
- name: Enable timer dnf-automatic
block:
- name: Enable timer dnf-automatic
ansible.builtin.systemd:
name: dnf-automatic.timer
enabled: 'yes'
state: started
when:
- '"dnf-automatic" in ansible_facts.packages'
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SI-2(5)
- NIST-800-53-SI-2(c)
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- timer_dnf-automatic_enabled
- name: Enable authselect - Check Current authselect Profile
ansible.builtin.command:
cmd: authselect current
register: result_authselect_current
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Try to Select an authselect Profile
ansible.builtin.command:
cmd: authselect select "{{ var_authselect_profile }}"
register: result_authselect_select
changed_when: result_authselect_select.rc == 0
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_current.rc != 0
tags:
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Verify If pam Has Been Altered
ansible.builtin.command:
cmd: rpm -qV pam
register: result_altered_authselect
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_select is not skipped
- result_authselect_select.rc != 0
tags:
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Informative Message Based on authselect Integrity Check
ansible.builtin.assert:
that:
- result_authselect_current.rc == 0 or result_altered_authselect is skipped
or result_altered_authselect.rc == 0
fail_msg:
- authselect is not used but files from the 'pam' package have been altered,
so the authselect configuration won't be forced.
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Enable authselect - Force authselect Profile Selection
ansible.builtin.command:
cmd: authselect select --force "{{ var_authselect_profile }}"
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_current.rc != 0
- result_authselect_select.rc != 0
- result_altered_authselect.rc == 0
tags:
- NIST-800-53-AC-3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- configure_strategy
- enable_authselect
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Collect the available authselect features
ansible.builtin.command:
cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
check_mode: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Enable pam_pwhistory.so using authselect feature
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Ensure "with-pwhistory" feature is enabled using
authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-pwhistory
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-pwhistory")
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_authselect_present.stat.exists
- result_authselect_available_features.stdout is search("with-pwhistory")
tags:
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Enable pam_pwhistory.so in appropriate PAM files
block:
- name: Limit Password Reuse - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Limit Password Reuse - Ensure authselect custom profile is used if authselect
is present
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Define the current authselect profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Limit Password Reuse - Define the new authselect custom profile as a
local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Limit Password Reuse - Get authselect current features to also enable
them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Check if any custom profile with the same name
was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Create an authselect custom profile based on
the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Create an authselect custom profile based on
sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Restore the authselect features in the custom
profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Limit Password Reuse - Change the PAM file to be edited according to
the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Limit Password Reuse - Define a fact for control already filtered in case
filters are used
ansible.builtin.set_fact:
pam_module_control: requisite
- name: Limit Password Reuse - Check if expected PAM module line is present in
{{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Limit Password Reuse - Include or update the PAM module line in {{ pam_file_path
}}
block:
- name: Limit Password Reuse - Check if required PAM module line is present
in {{ pam_file_path }} with different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Limit Password Reuse - Ensure the correct control for the required PAM
module line in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Limit Password Reuse - Ensure the required PAM module line is included
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- |
(result_authselect_available_features.stdout is defined and result_authselect_available_features.stdout is not search("with-pwhistory")) or result_authselect_available_features is not defined
tags:
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - Check the presence of /etc/security/pwhistory.conf
file
ansible.builtin.stat:
path: /etc/security/pwhistory.conf
register: result_pwhistory_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - pam_pwhistory.so parameters are configured in /etc/security/pwhistory.conf
file
block:
- name: Limit Password Reuse - Ensure the pam_pwhistory.so remember parameter
in /etc/security/pwhistory.conf
ansible.builtin.lineinfile:
path: /etc/security/pwhistory.conf
regexp: ^\s*remember\s*=
line: remember = {{ var_password_pam_unix_remember }}
state: present
- name: Limit Password Reuse - Ensure the pam_pwhistory.so remember parameter
is removed from PAM files
block:
- name: Limit Password Reuse - Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Limit Password Reuse - Check the proper remediation for the system
block:
- name: Limit Password Reuse - Define the PAM file to be edited as a local
fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Limit Password Reuse - Ensure authselect custom profile is used if
authselect is present
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect
integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Define the current authselect profile as
a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Limit Password Reuse - Define the new authselect custom profile
as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Limit Password Reuse - Get authselect current features to also enable
them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Check if any custom profile with the same
name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Create an authselect custom profile based
on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Create an authselect custom profile based
on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Restore the authselect features in the custom
profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Limit Password Reuse - Change the PAM file to be edited according
to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Limit Password Reuse - Define a fact for control already filtered
in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Limit Password Reuse - Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Limit Password Reuse - Ensure the "remember" option from "pam_pwhistory.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwhistory.so.*)\bremember\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pwhistory_conf_check.stat.exists
tags:
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Limit Password Reuse - pam_pwhistory.so parameters are configured in PAM
files
block:
- name: Limit Password Reuse - Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Limit Password Reuse - Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Limit Password Reuse - Ensure authselect custom profile is used if authselect
is present
block:
- name: Limit Password Reuse - Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Limit Password Reuse - Informative message based on the authselect integrity
check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Limit Password Reuse - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Limit Password Reuse - Define the current authselect profile as a local
fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Limit Password Reuse - Define the new authselect custom profile as a
local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Limit Password Reuse - Get authselect current features to also enable
them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Check if any custom profile with the same name
was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Limit Password Reuse - Create an authselect custom profile based on
the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Create an authselect custom profile based on
sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Limit Password Reuse - Restore the authselect features in the custom
profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Limit Password Reuse - Change the PAM file to be edited according to
the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Limit Password Reuse - Define a fact for control already filtered in case
filters are used
ansible.builtin.set_fact:
pam_module_control: requisite
- name: Limit Password Reuse - Check if expected PAM module line is present in
{{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_present
- name: Limit Password Reuse - Include or update the PAM module line in {{ pam_file_path
}}
block:
- name: Limit Password Reuse - Check if required PAM module line is present
in {{ pam_file_path }} with different control
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+.*\s+pam_pwhistory.so\s*
state: absent
check_mode: true
changed_when: false
register: result_pam_line_other_control_present
- name: Limit Password Reuse - Ensure the correct control for the required PAM
module line in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
- name: Limit Password Reuse - Ensure the required PAM module line is included
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
> 1
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present is defined
- result_authselect_present.stat.exists
- |-
(result_pam_module_add is defined and result_pam_module_add.changed)
or (result_pam_module_edit is defined and result_pam_module_edit.changed)
when:
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
- name: Limit Password Reuse - Define a fact for control already filtered in case
filters are used
ansible.builtin.set_fact:
pam_module_control: requisite
- name: Limit Password Reuse - Check if the required PAM module option is present
in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_accounts_password_pam_unix_remember_option_present
- name: Limit Password Reuse - Ensure the "remember" PAM option for "pam_pwhistory.so"
is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_unix_remember }}
state: present
register: result_pam_accounts_password_pam_unix_remember_add
when:
- result_pam_module_accounts_password_pam_unix_remember_option_present.found
is defined
- result_pam_module_accounts_password_pam_unix_remember_option_present.found
== 0
- name: Limit Password Reuse - Ensure the required value for "remember" PAM option
from "pam_pwhistory.so" in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]*\s*(.*)
line: \1\2={{ var_password_pam_unix_remember }} \3
register: result_pam_accounts_password_pam_unix_remember_edit
when:
- result_pam_module_accounts_password_pam_unix_remember_option_present.found
> 0
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- (result_pam_remember_add is defined and result_pam_remember_add.changed) or
(result_pam_remember_edit is defined and result_pam_remember_edit.changed)
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- not result_pwhistory_conf_check.stat.exists
tags:
- CJIS-5.6.2.1.1
- NIST-800-171-3.5.8
- NIST-800-53-IA-5(1)(e)
- NIST-800-53-IA-5(f)
- PCI-DSS-Req-8.2.5
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.7
- accounts_password_pam_unix_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Lock Accounts After Failed Password Attempts - Check if system relies on
authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020011
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
tool is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020011
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
tool is not present
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so
preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so
account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- not result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020011
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf
file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020011
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
deny parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*deny\s*=
line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020011
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
deny parameter not in PAM files
block:
- name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Lock Accounts After Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Lock Accounts After Failed Password Attempts - Define the PAM file to
be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Lock Accounts After Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Lock Accounts After Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Lock Accounts After Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
- name: Lock Accounts After Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Lock Accounts After Failed Password Attempts - Define the PAM file to
be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Lock Accounts After Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Lock Accounts After Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Lock Accounts After Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Lock Accounts After Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Lock Accounts After Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Lock Accounts After Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Lock Accounts After Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Lock Accounts After Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_password_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020011
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
deny parameter in PAM files
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
deny parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_deny_parameter_is_present
- name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of
pam_faillock.so preauth deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of
pam_faillock.so authfail deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- name: Lock Accounts After Failed Password Attempts - Ensure the desired value
for pam_faillock.so preauth deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
- name: Lock Accounts After Failed Password Attempts - Ensure the desired value
for pam_faillock.so authfail deny parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- not result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020011
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.6
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_deny
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
tags:
- DISA-STIG-OL08-00-020013
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
tool is present
block:
- name: Set Interval For Counting Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Interval For Counting Failed Password Attempts - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Set Interval For Counting Failed Password Attempts - Ensure "with-faillock"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_authselect_present.stat.exists
tags:
- DISA-STIG-OL08-00-020013
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
tool is not present
block:
- name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- not result_authselect_present.stat.exists
tags:
- DISA-STIG-OL08-00-020013
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Check the presence
of /etc/security/faillock.conf file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
tags:
- DISA-STIG-OL08-00-020013
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
fail_interval parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*fail_interval\s*=
line: fail_interval = {{ var_accounts_passwords_pam_faillock_fail_interval }}
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL08-00-020013
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
fail_interval parameter not in PAM files
block:
- name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Set Interval For Counting Failed Password Attempts - Check the proper
remediation for the system
block:
- name: Set Interval For Counting Failed Password Attempts - Define the PAM
file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set Interval For Counting Failed Password Attempts - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
custom profile is used if authselect is present
block:
- name: Set Interval For Counting Failed Password Attempts - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Interval For Counting Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Define the new
authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Check if any
custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Interval For Counting Failed Password Attempts - Change the PAM
file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Define a fact for
control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Interval For Counting Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
- name: Set Interval For Counting Failed Password Attempts - Check the proper
remediation for the system
block:
- name: Set Interval For Counting Failed Password Attempts - Define the PAM
file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set Interval For Counting Failed Password Attempts - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
custom profile is used if authselect is present
block:
- name: Set Interval For Counting Failed Password Attempts - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Interval For Counting Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Interval For Counting Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Define the new
authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Check if any
custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Interval For Counting Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Interval For Counting Failed Password Attempts - Change the PAM
file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Define a fact for
control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Interval For Counting Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Interval For Counting Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_password_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL08-00-020013
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
fail_interval parameter in PAM files
block:
- name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
fail_interval parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*fail_interval
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_fail_interval_parameter_is_present
- name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
of pam_faillock.so preauth fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found == 0
- name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
of pam_faillock.so authfail fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found == 0
- name: Set Interval For Counting Failed Password Attempts - Ensure the desired
value for pam_faillock.so preauth fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(fail_interval)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval
}}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found > 0
- name: Set Interval For Counting Failed Password Attempts - Ensure the desired
value for pam_faillock.so authfail fail_interval parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(fail_interval)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval
}}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_fail_interval_parameter_is_present.found > 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- not result_faillock_conf_check.stat.exists
tags:
- DISA-STIG-OL08-00-020013
- NIST-800-53-AC-7(a)
- NIST-800-53-CM-6(a)
- accounts_passwords_pam_faillock_interval
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Check if system relies on
authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020015
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
tool is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature with-faillock
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("with-faillock")
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020015
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
tool is not present
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
is already enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_is_enabled
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so
preauth editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so
authfail editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so
account section editing PAM files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_is_enabled.found == 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- not result_authselect_present.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020015
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf
file
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020015
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
unlock_time parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*unlock_time\s*=
line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }}
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020015
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
unlock_time parameter not in PAM files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
- name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Set Lockout Time for Failed Password Attempts - Define the PAM file
to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set Lockout Time for Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Lockout Time for Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_auth_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
- name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
for the system
block:
- name: Set Lockout Time for Failed Password Attempts - Define the PAM file
to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set Lockout Time for Failed Password Attempts - Check if system relies
on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
profile is used if authselect is present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of
authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Lockout Time for Failed Password Attempts - Informative message
based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile
was not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect
tool is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Lockout Time for Failed Password Attempts - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Define the new authselect
custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Get authselect current
features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Check if any custom
profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Lockout Time for Failed Password Attempts - Restore the authselect
features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Lockout Time for Failed Password Attempts - Change the PAM file
to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Define a fact for control
already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Lockout Time for Failed Password Attempts - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- result_pam_password_auth_file_present.stat.exists
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020015
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
unlock_time parameter in PAM files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
unlock_time parameter is already enabled in pam files
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
state: absent
check_mode: true
changed_when: false
register: result_pam_faillock_unlock_time_parameter_is_present
- name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
pam_faillock.so preauth unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found == 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
pam_faillock.so authfail unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found == 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
for pam_faillock.so preauth unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found > 0
- name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
for pam_faillock.so authfail unlock_time parameter in auth section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- result_pam_faillock_unlock_time_parameter_is_present.found > 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- ( ansible_distribution == 'OracleLinux' and ansible_distribution_version is
version('8.2', '>=') and "pam" in ansible_facts.packages )
- not result_faillock_conf_check.stat.exists
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020015
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-8.1.7
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.4
- accounts_passwords_pam_faillock_unlock_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Find
pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Ensure
dcredit is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bdcredit\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Check
if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Check
the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Ensure the "dcredit" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bdcredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Check
if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Check
the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Ensure the "dcredit" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bdcredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters -
Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Digit Characters - Ensure
PAM variable dcredit is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*dcredit
line: dcredit = {{ var_password_pam_dcredit }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020130
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_dcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020170
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure difok is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bdifok\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020170
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020170
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure the "difok" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bdifok\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020170
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020170
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure the "difok" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bdifok\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020170
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Different Characters
- Ensure PAM variable difok is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*difok
line: difok = {{ var_password_pam_difok }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020170
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(b)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_difok
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020120
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure lcredit is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\blcredit\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020120
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020120
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure the "lcredit" option from "pam_pwquality.so" is not present in {{
pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\blcredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020120
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020120
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure the "lcredit" option from "pam_pwquality.so" is not present in {{
pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\blcredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020120
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
- Ensure PAM variable lcredit is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*lcredit
line: lcredit = {{ var_password_pam_lcredit }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020120
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_lcredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020140
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxclassrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure maxclassrepeat is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bmaxclassrepeat\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020140
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxclassrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if /etc/pam.d/system-auth file
is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020140
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxclassrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check the proper remediation for the
system
block:
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define the PAM file to be edited as
a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if system relies on authselect
tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect custom profile is
used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check integrity of authselect current
profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Informative message based on the
authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define the current authselect profile
as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define the new authselect custom
profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Get authselect current features to
also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if any custom profile with
the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Create an authselect custom profile
based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Create an authselect custom profile
based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure the authselect custom profile
is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Restore the authselect features in
the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Change the PAM file to be edited
according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define a fact for control already filtered
in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if {{ pam_file_path }} file is
present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure the "maxclassrepeat" option
from "pam_pwquality.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bmaxclassrepeat\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020140
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxclassrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if /etc/pam.d/password-auth file
is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020140
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxclassrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check the proper remediation for the
system
block:
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define the PAM file to be edited as
a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if system relies on authselect
tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect custom profile is
used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check integrity of authselect current
profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Informative message based on the
authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define the current authselect profile
as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define the new authselect custom
profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Get authselect current features to
also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if any custom profile with
the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Create an authselect custom profile
based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Create an authselect custom profile
based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure the authselect custom profile
is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Restore the authselect features in
the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Change the PAM file to be edited
according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Define a fact for control already filtered
in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Check if {{ pam_file_path }} file is
present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure the "maxclassrepeat" option
from "pam_pwquality.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bmaxclassrepeat\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020140
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxclassrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating
Characters from Same Character Class - Ensure PAM variable maxclassrepeat is
set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*maxclassrepeat
line: maxclassrepeat = {{ var_password_pam_maxclassrepeat }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020140
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxclassrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Find pwquality.conf.d
files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020150
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Ensure maxrepeat
is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bmaxrepeat\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020150
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020150
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Check the proper
remediation for the system
block:
- name: Set Password Maximum Consecutive Repeating Characters - Define the PAM
file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Set Password Maximum Consecutive Repeating Characters - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
custom profile is used if authselect is present
block:
- name: Set Password Maximum Consecutive Repeating Characters - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Password Maximum Consecutive Repeating Characters - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Password Maximum Consecutive Repeating Characters - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Password Maximum Consecutive Repeating Characters - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Define the new
authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Check if any
custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Password Maximum Consecutive Repeating Characters - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Password Maximum Consecutive Repeating Characters - Restore the
authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Password Maximum Consecutive Repeating Characters - Change the PAM
file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Define a fact
for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Password Maximum Consecutive Repeating Characters - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Password Maximum Consecutive Repeating Characters - Ensure the "maxrepeat"
option from "pam_pwquality.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bmaxrepeat\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020150
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020150
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Check the proper
remediation for the system
block:
- name: Set Password Maximum Consecutive Repeating Characters - Define the PAM
file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Set Password Maximum Consecutive Repeating Characters - Check if system
relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
custom profile is used if authselect is present
block:
- name: Set Password Maximum Consecutive Repeating Characters - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Set Password Maximum Consecutive Repeating Characters - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Set Password Maximum Consecutive Repeating Characters - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Set Password Maximum Consecutive Repeating Characters - Define the current
authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Define the new
authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Check if any
custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Set Password Maximum Consecutive Repeating Characters - Create an authselect
custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Create an authselect
custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Password Maximum Consecutive Repeating Characters - Ensure the authselect
custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Set Password Maximum Consecutive Repeating Characters - Restore the
authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Set Password Maximum Consecutive Repeating Characters - Change the PAM
file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Define a fact
for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Set Password Maximum Consecutive Repeating Characters - Check if {{ pam_file_path
}} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Set Password Maximum Consecutive Repeating Characters - Ensure the "maxrepeat"
option from "pam_pwquality.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bmaxrepeat\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Set Password Maximum Consecutive Repeating Characters - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020150
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set Password Maximum Consecutive Repeating Characters - Ensure PAM variable
maxrepeat is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*maxrepeat
line: maxrepeat = {{ var_password_pam_maxrepeat }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020150
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_maxrepeat
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Find pwquality.conf.d
files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020230
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure minlen
is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bminlen\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020230
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if /etc/pam.d/system-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020230
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check the proper
remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define the
PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Restore
the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Change
the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
{{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure the
"minlen" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bminlen\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020230
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if /etc/pam.d/password-auth
file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020230
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check the proper
remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define the
PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check integrity
of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Informative
message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define
the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Get authselect
current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Create
an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Restore
the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure
authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Change
the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Define a
fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Check if
{{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure the
"minlen" option from "pam_pwquality.so" is not present in {{ pam_file_path
}}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bminlen\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure authselect
changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020230
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM
variable minlen is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*minlen
line: minlen = {{ var_password_pam_minlen }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- CJIS-5.6.2.1.1
- DISA-STIG-OL08-00-020230
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.6
- accounts_password_pam_minlen
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters -
Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020280
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters -
Ensure ocredit is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bocredit\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020280
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters -
Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020280
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters -
Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure the "ocredit" option from "pam_pwquality.so" is not present in {{
pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bocredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020280
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters -
Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020280
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters -
Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure the "ocredit" option from "pam_pwquality.so" is not present in {{
pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bocredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020280
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Special Characters -
Ensure PAM variable ocredit is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*ocredit
line: ocredit = {{ var_password_pam_ocredit }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020280
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- accounts_password_pam_ocredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Find pwquality.conf.d files
ansible.builtin.find:
paths: /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: pwquality_conf_d_files
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020110
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure ucredit is not set in pwquality.conf.d
ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^\s*\bucredit\b.*
state: absent
with_items: '{{ pwquality_conf_d_files.files }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020110
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if /etc/pam.d/system-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/system-auth
register: result_pam_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020110
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/system-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure the "ucredit" option from "pam_pwquality.so" is not present in {{
pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bucredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020110
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if /etc/pam.d/password-auth file is present
ansible.builtin.stat:
path: /etc/pam.d/password-auth
register: result_pam_password_auth_file_present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020110
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check the proper remediation for the system
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define the PAM file to be edited as a local fact
ansible.builtin.set_fact:
pam_file_path: /etc/pam.d/password-auth
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if system relies on authselect tool
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect custom profile is used if authselect is present
block:
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check integrity of authselect current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Informative message based on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Get authselect current profile
ansible.builtin.shell:
cmd: authselect current -r | awk '{ print $1 }'
register: result_authselect_profile
changed_when: false
when:
- result_authselect_check_cmd is success
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define the current authselect profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define the new authselect custom profile as a local fact
ansible.builtin.set_fact:
authselect_current_profile: '{{ result_authselect_profile.stdout }}'
authselect_custom_profile: custom/hardening
when:
- result_authselect_profile is not skipped
- result_authselect_profile.stdout is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Get authselect current features to also enable them in the custom profile
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if any custom profile with the same name was already created
ansible.builtin.stat:
path: /etc/authselect/{{ authselect_custom_profile }}
register: result_authselect_custom_profile_present
changed_when: false
when:
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Create an authselect custom profile based on the current profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b {{ authselect_current_profile
}}
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is not match("^(custom/|local)")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Create an authselect custom profile based on sssd profile
ansible.builtin.command:
cmd: authselect create-profile hardening -b sssd
when:
- result_authselect_profile is not skipped
- result_authselect_check_cmd is success
- authselect_current_profile is match("local")
- not result_authselect_custom_profile_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure the authselect custom profile is selected
ansible.builtin.command:
cmd: authselect select {{ authselect_custom_profile }}
register: result_pam_authselect_select_profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- authselect_current_profile is not match("custom/")
- authselect_custom_profile is not match(authselect_current_profile)
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Restore the authselect features in the custom profile
ansible.builtin.command:
cmd: authselect enable-feature {{ item }}
loop: '{{ result_authselect_features.stdout_lines }}'
register: result_pam_authselect_restore_features
when:
- result_authselect_profile is not skipped
- result_authselect_features is not skipped
- result_pam_authselect_select_profile is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
when:
- result_authselect_check_cmd is success
- result_authselect_profile is not skipped
- result_pam_authselect_restore_features is not skipped
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Change the PAM file to be edited according to the custom authselect profile
ansible.builtin.set_fact:
pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
| basename }}
when:
- authselect_custom_profile is defined
when:
- result_authselect_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Define a fact for control already filtered in case filters are used
ansible.builtin.set_fact:
pam_module_control: ''
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Check if {{ pam_file_path }} file is present
ansible.builtin.stat:
path: '{{ pam_file_path }}'
register: result_pam_file_present
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure the "ucredit" option from "pam_pwquality.so" is not present in {{
pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: (.*password.*pam_pwquality.so.*)\bucredit\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when:
- result_pam_file_present.stat.exists
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure authselect changes are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_present.stat.exists
- result_pam_option_removal is changed
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
- result_pam_password_auth_file_present.stat.exists
tags:
- DISA-STIG-OL08-00-020110
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
- Ensure PAM variable ucredit is set accordingly
ansible.builtin.lineinfile:
create: true
dest: /etc/security/pwquality.conf
regexp: ^#?\s*ucredit
line: ucredit = {{ var_password_pam_ucredit }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"libpwquality" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020110
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(4)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- accounts_password_pam_ucredit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Ctrl-Alt-Del Burst Action
ansible.builtin.lineinfile:
dest: /etc/systemd/system.conf
state: present
regexp: ^CtrlAltDelBurstAction
line: CtrlAltDelBurstAction=none
create: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-040172
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- disable_ctrlaltdel_burstaction
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- name: Disable Ctrl-Alt-Del Reboot Activation
ansible.builtin.systemd:
name: ctrl-alt-del.target
force: true
masked: true
state: stopped
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040170
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_ctrlaltdel_reboot
- disable_strategy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- name: Require Authentication for Single User Mode - find files which already override
Execstart of rescue.service
ansible.builtin.find:
paths: /etc/systemd/system/rescue.service.d
patterns: '*.conf'
contains: ^\s*ExecStart=.*$
register: rescue_service_overrides_found
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010151
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: Require Authentication for Single User Mode - set files containing ExecStart
overrides as target
ansible.builtin.set_fact:
rescue_service_remediation_target_file: '{{ rescue_service_overrides_found.files
| map(attribute=''path'') | list }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rescue_service_overrides_found.matched is defined and rescue_service_overrides_found.matched
> 0
tags:
- DISA-STIG-OL08-00-010151
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: Require Authentication for Single User Mode - set default target for rescue.service
override
ansible.builtin.set_fact:
rescue_service_remediation_target_file:
- /etc/systemd/system/rescue.service.d/10-oscap.conf
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- rescue_service_overrides_found.matched is defined and rescue_service_overrides_found.matched
== 0
tags:
- DISA-STIG-OL08-00-010151
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: Require Authentication for Single User Mode - Require emergency user mode
password
community.general.ini_file:
path: '{{ item }}'
section: Service
option: ExecStart
values:
- ''
- -/usr/lib/systemd/systemd-sulogin-shell rescue
loop: '{{ rescue_service_remediation_target_file }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010151
- NIST-800-171-3.1.1
- NIST-800-171-3.4.5
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- require_singleuser_auth
- restrict_strategy
- name: 'Support session locking with tmux: Determine If the Tmux Launch Script
Is Present in /etc/bashrc'
ansible.builtin.find:
paths: /etc
patterns: bashrc
contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
register: tmux_in_bashrc
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"tmux" in ansible_facts.packages'
tags:
- configure_bashrc_exec_tmux
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: 'Support session locking with tmux: Determine If the Tmux Launch Script
Is Present in /etc/profile.d/*.sh'
ansible.builtin.find:
paths: /etc/profile.d
patterns: '*.sh'
contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
register: tmux_in_profile_d
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"tmux" in ansible_facts.packages'
tags:
- configure_bashrc_exec_tmux
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: 'Support session locking with tmux: Insert the Correct Script into /etc/profile.d/tmux.sh'
ansible.builtin.blockinfile:
path: /etc/profile.d/tmux.sh
block: |
if [ "$PS1" ]; then
parent=$(ps -o ppid= -p $$)
name=$(ps -o comm= -p $parent)
case "$name" in sshd|login) exec tmux ;; esac
fi
create: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"tmux" in ansible_facts.packages'
- tmux_in_bashrc is defined and tmux_in_bashrc.matched == 0
- tmux_in_profile_d is defined and tmux_in_profile_d.matched == 0
tags:
- configure_bashrc_exec_tmux
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure tmux to lock session after inactivity
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/tmux.conf
create: true
regexp: (?i)^\s*set -g lock-after-time\s+
mode: '0644'
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/tmux.conf
ansible.builtin.lineinfile:
path: /etc/tmux.conf
create: true
regexp: (?i)^\s*set -g lock-after-time\s+
mode: '0644'
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/tmux.conf
ansible.builtin.lineinfile:
path: /etc/tmux.conf
create: true
regexp: (?i)^\s*set -g lock-after-time\s+
mode: '0644'
line: set -g lock-after-time 900
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"tmux" in ansible_facts.packages'
tags:
- configure_tmux_lock_after_time
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure the tmux Lock Command
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/tmux.conf
create: true
regexp: (?i)^\s*set -g lock-command\s+
mode: '0644'
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/tmux.conf
ansible.builtin.lineinfile:
path: /etc/tmux.conf
create: true
regexp: (?i)^\s*set -g lock-command\s+
mode: '0644'
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/tmux.conf
ansible.builtin.lineinfile:
path: /etc/tmux.conf
create: true
regexp: (?i)^\s*set -g lock-command\s+
mode: '0644'
line: set -g lock-command vlock
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"tmux" in ansible_facts.packages'
tags:
- NIST-800-53-AC-11(a)
- NIST-800-53-AC-11(b)
- NIST-800-53-CM-6(a)
- configure_tmux_lock_command
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Prevent user from disabling the screen lock - Ensure tmux line not exists
ansible.builtin.lineinfile:
path: /etc/shells
regex: tmux\s*$
state: absent
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- no_tmux_in_shells
- restrict_strategy
- name: Prevent Login to Accounts With Empty Password - Check if system relies on
authselect
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.2
- DISA-STIG-OL08-00-020331
- DISA-STIG-OL08-00-020332
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Prevent Login to Accounts With Empty Password - Remediate using authselect
block:
- name: Prevent Login to Accounts With Empty Password - Check integrity of authselect
current profile
ansible.builtin.command:
cmd: authselect check
register: result_authselect_check_cmd
changed_when: false
check_mode: false
failed_when: false
- name: Prevent Login to Accounts With Empty Password - Informative message based
on the authselect integrity check result
ansible.builtin.assert:
that:
- ansible_check_mode or result_authselect_check_cmd.rc == 0
fail_msg:
- authselect integrity check failed. Remediation aborted!
- This remediation could not be applied because an authselect profile was
not selected or the selected profile is not intact.
- It is not recommended to manually edit the PAM files when authselect tool
is available.
- In cases where the default authselect profile does not cover a specific
demand, a custom authselect profile is recommended.
success_msg:
- authselect integrity check passed
- name: Prevent Login to Accounts With Empty Password - Get authselect current
features
ansible.builtin.shell:
cmd: authselect current | tail -n+3 | awk '{ print $2 }'
register: result_authselect_features
changed_when: false
check_mode: false
when:
- result_authselect_check_cmd is success
- name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok"
feature is enabled using authselect tool
ansible.builtin.command:
cmd: authselect enable-feature without-nullok
register: result_authselect_enable_feature_cmd
when:
- result_authselect_check_cmd is success
- result_authselect_features.stdout is not search("without-nullok")
- name: Prevent Login to Accounts With Empty Password - Ensure authselect changes
are applied
ansible.builtin.command:
cmd: authselect apply-changes -b
when:
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_authselect_present.stat.exists
tags:
- CJIS-5.5.2
- DISA-STIG-OL08-00-020331
- DISA-STIG-OL08-00-020332
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Prevent Login to Accounts With Empty Password - Remediate directly editing
PAM files
ansible.builtin.replace:
dest: '{{ item }}'
regexp: nullok
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not result_authselect_present.stat.exists
tags:
- CJIS-5.5.2
- DISA-STIG-OL08-00-020331
- DISA-STIG-OL08-00-020332
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
- NIST-800-53-IA-5(c)
- PCI-DSS-Req-8.2.3
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- configure_strategy
- high_severity
- low_complexity
- medium_disruption
- no_empty_passwords
- no_reboot_needed
- name: Restrict Virtual Console Root Logins
ansible.builtin.lineinfile:
dest: /etc/securetty
regexp: ^vc/[0-9]
state: absent
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.6
- PCI-DSSv4-8.6.1
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- securetty_root_login_console_only
- name: Restrict usage of su command only to members of wheel group
ansible.builtin.replace:
path: /etc/pam.d/su
regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$
replace: auth required pam_wheel.so use_uid
when: '"pam" in ansible_facts.packages'
tags:
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- use_pam_wheel_for_su
- name: Find /etc/security/limits.d files containing maxlogins configuration
ansible.builtin.find:
paths: /etc/security/limits.d
contains: ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins
patterns: '*.conf'
register: maxlogins
when: ( "pam" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- CJIS-5.5.2.2
- DISA-STIG-OL08-00-020024
- NIST-800-53-AC-10
- NIST-800-53-CM-6(a)
- accounts_max_concurrent_login_sessions
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Limit the Number of Concurrent Login Sessions Allowed Per User in files
from limits.d
ansible.builtin.replace:
dest: '{{ item.path }}'
regexp: ^#?\*.*maxlogins.*
replace: '* hard maxlogins {{ var_accounts_max_concurrent_login_sessions
}}'
with_items:
- '{{ maxlogins.files }}'
when: ( "pam" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- CJIS-5.5.2.2
- DISA-STIG-OL08-00-020024
- NIST-800-53-AC-10
- NIST-800-53-CM-6(a)
- accounts_max_concurrent_login_sessions
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Limit the Number of Concurrent Login Sessions Allowed Per User
ansible.builtin.lineinfile:
state: present
dest: /etc/security/limits.conf
insertbefore: ^# End of file
regexp: ^#?\*.*maxlogins
line: '* hard maxlogins {{ var_accounts_max_concurrent_login_sessions
}}'
create: true
when:
- ( "pam" in ansible_facts.packages and ("kernel" in ansible_facts.packages or
"kernel-uek" in ansible_facts.packages) )
- maxlogins.matched == 0
tags:
- CJIS-5.5.2.2
- DISA-STIG-OL08-00-020024
- NIST-800-53-AC-10
- NIST-800-53-CM-6(a)
- accounts_max_concurrent_login_sessions
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Check if umask in /etc/bashrc is already set
ansible.builtin.lineinfile:
path: /etc/bashrc
regexp: ^[^#]*\bumask\s+\d+$
state: absent
check_mode: true
changed_when: false
register: umask_replace
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"bash" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_bashrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Replace user umask in /etc/bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: ^([^#]*\b)umask\s+\d+$
replace: \g<1>umask {{ var_accounts_user_umask }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"bash" in ansible_facts.packages'
- umask_replace.found > 0
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_bashrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default umask is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/bashrc
line: umask {{ var_accounts_user_umask }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"bash" in ansible_facts.packages'
- umask_replace.found == 0
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_bashrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Check if umask in /etc/csh.cshrc is already set
ansible.builtin.lineinfile:
path: /etc/csh.cshrc
regexp: ^(\s*)umask\s+.*
state: absent
check_mode: true
changed_when: false
register: umask_replace
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_csh_cshrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Replace user umask in /etc/csh.cshrc
ansible.builtin.replace:
path: /etc/csh.cshrc
regexp: ^(\s*)umask(\s+).*
replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- umask_replace.found > 0
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_csh_cshrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default umask is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/csh.cshrc
line: umask {{ var_accounts_user_umask }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- umask_replace.found == 0
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_csh_cshrc
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Locate Profile
Configuration Files Where umask Is Defined
ansible.builtin.find:
paths:
- /etc/profile.d
patterns:
- sh.local
- '*.sh'
contains: ^[\s]*umask\s+\d+
register: result_profile_d_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Replace Existing
umask Value in Files From /etc/profile.d
ansible.builtin.replace:
path: '{{ item.path }}'
regexp: ^(\s*)umask\s+\d+
replace: \1umask {{ var_accounts_user_umask }}
loop: '{{ result_profile_d_files.files }}'
register: result_umask_replaced_profile_d
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_profile_d_files.matched
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask
Is Set in /etc/profile if Not Already Set Elsewhere
ansible.builtin.lineinfile:
create: true
mode: 420
path: /etc/profile
line: umask {{ var_accounts_user_umask }}
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- not result_profile_d_files.matched
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask
Value For All Existing umask Definition in /etc/profile
ansible.builtin.replace:
path: /etc/profile
regexp: ^(\s*)umask\s+\d+
replace: \1umask {{ var_accounts_user_umask }}
register: result_umask_replaced_profile
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Recovery Booting - Verify GRUB_DISABLE_RECOVERY=true
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: ^GRUB_DISABLE_RECOVERY=.*
line: GRUB_DISABLE_RECOVERY=true
state: present
register: grub_config_changed
when: ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- grub2_disable_recovery
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Disable Recovery Booting - Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL
when:
- ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- grub_config_changed is changed
tags:
- grub2_disable_recovery
- low_complexity
- low_disruption
- medium_severity
- reboot_required
- restrict_strategy
- name: Check if random.trust_cpu argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when: ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- grub2_kernel_trust_cpu_rng
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check if random.trust_cpu argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when: ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- grub2_kernel_trust_cpu_rng
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="random.trust_cpu=on"
when:
- ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- (grubby_info.stdout is not search('random.trust_cpu=on')) or ((etc_default_grub['content']
| b64decode) is not search('random.trust_cpu=on'))
tags:
- grub2_kernel_trust_cpu_rng
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check if pti argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when: ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- DISA-STIG-OL08-00-040004
- NIST-800-53-SI-16
- grub2_pti_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if pti argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when: ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- DISA-STIG-OL08-00-040004
- NIST-800-53-SI-16
- grub2_pti_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="pti=on"
when:
- ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- (grubby_info.stdout is not search('pti=on')) or ((etc_default_grub['content']
| b64decode) is not search('pti=on'))
tags:
- DISA-STIG-OL08-00-040004
- NIST-800-53-SI-16
- grub2_pti_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if vsyscall argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when:
- ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- ansible_architecture == "x86_64"
tags:
- DISA-STIG-OL08-00-010422
- NIST-800-53-CM-7(a)
- grub2_vsyscall_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check if vsyscall argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when:
- ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- ansible_architecture == "x86_64"
tags:
- DISA-STIG-OL08-00-010422
- NIST-800-53-CM-7(a)
- grub2_vsyscall_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="vsyscall=none"
when:
- ( "grub2-common" in ansible_facts.packages and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
- ansible_architecture == "x86_64"
- (grubby_info.stdout is not search('vsyscall=none')) or ((etc_default_grub['content']
| b64decode) is not search('vsyscall=none'))
tags:
- DISA-STIG-OL08-00-010422
- NIST-800-53-CM-7(a)
- grub2_vsyscall_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Set fact
for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040261
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find
all files that contain net.ipv6.conf.all.accept_ra
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040261
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Find
all files that set net.ipv6.conf.all.accept_ra to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_ra\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_ra_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040261
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Comment
out any occurrences of net.ipv6.conf.all.accept_ra from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra
replace: '#net.ipv6.conf.all.accept_ra'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040261
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Comment
out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_ra
replace: '#net.ipv6.conf.all.accept_ra'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040261
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Configure Accepting Router Advertisements on All IPv6 Interfaces - Ensure
sysctl net.ipv6.conf.all.accept_ra is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_ra
value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_ra.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040261
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_ra
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Set fact for
sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040280
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files
that contain net.ipv6.conf.all.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040280
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Find all files
that set net.ipv6.conf.all.accept_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_redirects\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040280
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Comment out any
occurrences of net.ipv6.conf.all.accept_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_redirects
replace: '#net.ipv6.conf.all.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040280
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Comment out any
occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_redirects
replace: '#net.ipv6.conf.all.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040280
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv6 Interfaces - Ensure sysctl
net.ipv6.conf.all.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_redirects
value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040280
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6
Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040240
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6
Interfaces - Find all files that contain net.ipv6.conf.all.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040240
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6
Interfaces - Find all files that set net.ipv6.conf.all.accept_source_route to
correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.all.accept_source_route\s*=\s*{{ sysctl_net_ipv6_conf_all_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040240
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_source_route
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_source_route
replace: '#net.ipv6.conf.all.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040240
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.all.accept_source_route
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.all.accept_source_route
replace: '#net.ipv6.conf.all.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040240
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6
Interfaces - Ensure sysctl net.ipv6.conf.all.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_source_route
value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_all_accept_source_route.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040240
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_all_accept_source_route
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040262
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
- Find all files that contain net.ipv6.conf.default.accept_ra
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040262
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
- Find all files that set net.ipv6.conf.default.accept_ra to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_ra\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_ra_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040262
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
- Comment out any occurrences of net.ipv6.conf.default.accept_ra from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra
replace: '#net.ipv6.conf.default.accept_ra'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040262
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
- Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_ra
replace: '#net.ipv6.conf.default.accept_ra'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040262
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
- Ensure sysctl net.ipv6.conf.default.accept_ra is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_ra
value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_ra.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040262
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_ra
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6
Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040210
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6
Interfaces - Find all files that contain net.ipv6.conf.default.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040210
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6
Interfaces - Find all files that set net.ipv6.conf.default.accept_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040210
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.default.accept_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_redirects
replace: '#net.ipv6.conf.default.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040210
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6
Interfaces - Comment out any occurrences of net.ipv6.conf.default.accept_redirects
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_redirects
replace: '#net.ipv6.conf.default.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040210
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6
Interfaces - Ensure sysctl net.ipv6.conf.default.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_redirects
value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040210
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040250
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Find all files that contain net.ipv6.conf.default.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040250
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Find all files that set net.ipv6.conf.default.accept_source_route
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv6.conf.default.accept_source_route\s*=\s*{{ sysctl_net_ipv6_conf_default_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040250
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Comment out any occurrences of net.ipv6.conf.default.accept_source_route
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_source_route
replace: '#net.ipv6.conf.default.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040250
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Comment out any occurrences of net.ipv6.conf.default.accept_source_route
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv6.conf.default.accept_source_route
replace: '#net.ipv6.conf.default.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040250
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces
by Default - Ensure sysctl net.ipv6.conf.default.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv6.conf.default.accept_source_route
value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_accept_source_route.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040250
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_accept_source_route
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Set fact for
sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040279
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files
that contain net.ipv4.conf.all.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040279
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Find all files
that set net.ipv4.conf.all.accept_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_redirects\s*=\s*{{ sysctl_net_ipv4_conf_all_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040279
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Comment out any
occurrences of net.ipv4.conf.all.accept_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_redirects
replace: '#net.ipv4.conf.all.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040279
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Comment out any
occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_redirects
replace: '#net.ipv4.conf.all.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040279
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Accepting ICMP Redirects for All IPv4 Interfaces - Ensure sysctl
net.ipv4.conf.all.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_redirects
value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_accept_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040279
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4
Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040239
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4
Interfaces - Find all files that contain net.ipv4.conf.all.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040239
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4
Interfaces - Find all files that set net.ipv4.conf.all.accept_source_route to
correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.accept_source_route\s*=\s*{{ sysctl_net_ipv4_conf_all_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040239
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4
Interfaces - Comment out any occurrences of net.ipv4.conf.all.accept_source_route
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_source_route
replace: '#net.ipv4.conf.all.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040239
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4
Interfaces - Comment out any occurrences of net.ipv4.conf.all.accept_source_route
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.accept_source_route
replace: '#net.ipv4.conf.all.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040239
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4
Interfaces - Ensure sysctl net.ipv4.conf.all.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_source_route
value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_accept_source_route.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040239
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_accept_source_route
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces -
Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces -
Find all files that contain net.ipv4.conf.all.log_martians
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces -
Find all files that set net.ipv4.conf.all.log_martians to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.log_martians\s*=\s*{{ sysctl_net_ipv4_conf_all_log_martians_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces -
Comment out any occurrences of net.ipv4.conf.all.log_martians from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.log_martians
replace: '#net.ipv4.conf.all.log_martians'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces -
Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.log_martians
replace: '#net.ipv4.conf.all.log_martians'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces -
Ensure sysctl net.ipv4.conf.all.log_martians is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.log_martians
value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_log_martians.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_all_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040285
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.rp_filter
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040285
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.rp_filter to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.rp_filter\s*=\s*{{ sysctl_net_ipv4_conf_all_rp_filter_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040285
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.rp_filter
replace: '#net.ipv4.conf.all.rp_filter'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040285
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.rp_filter
replace: '#net.ipv4.conf.all.rp_filter'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040285
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.rp_filter is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.rp_filter
value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_rp_filter.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040285
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_rp_filter
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4
Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4
Interfaces - Find all files that contain net.ipv4.conf.all.secure_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4
Interfaces - Find all files that set net.ipv4.conf.all.secure_redirects to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.secure_redirects\s*=\s*{{ sysctl_net_ipv4_conf_all_secure_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4
Interfaces - Comment out any occurrences of net.ipv4.conf.all.secure_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.secure_redirects
replace: '#net.ipv4.conf.all.secure_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4
Interfaces - Comment out any occurrences of net.ipv4.conf.all.secure_redirects
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.secure_redirects
replace: '#net.ipv4.conf.all.secure_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4
Interfaces - Ensure sysctl net.ipv4.conf.all.secure_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.all.secure_redirects
value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_secure_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_secure_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4
Interfaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040209
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4
Interfaces - Find all files that contain net.ipv4.conf.default.accept_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040209
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4
Interfaces - Find all files that set net.ipv4.conf.default.accept_redirects
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_redirects\s*=\s*{{ sysctl_net_ipv4_conf_default_accept_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040209
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4
Interfaces - Comment out any occurrences of net.ipv4.conf.default.accept_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_redirects
replace: '#net.ipv4.conf.default.accept_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040209
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4
Interfaces - Comment out any occurrences of net.ipv4.conf.default.accept_redirects
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_redirects
replace: '#net.ipv4.conf.default.accept_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040209
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4
Interfaces - Ensure sysctl net.ipv4.conf.default.accept_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_redirects
value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_accept_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040209
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_redirects
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040249
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Find all files that contain net.ipv4.conf.default.accept_source_route
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040249
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Find all files that set net.ipv4.conf.default.accept_source_route
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.accept_source_route\s*=\s*{{ sysctl_net_ipv4_conf_default_accept_source_route_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040249
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.accept_source_route
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_source_route
replace: '#net.ipv4.conf.default.accept_source_route'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040249
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.accept_source_route
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.accept_source_route
replace: '#net.ipv4.conf.default.accept_source_route'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040249
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces
by Default - Ensure sysctl net.ipv4.conf.default.accept_source_route is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_source_route
value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_accept_source_route.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040249
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_accept_source_route
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by
Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by
Default - Find all files that contain net.ipv4.conf.default.log_martians
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by
Default - Find all files that set net.ipv4.conf.default.log_martians to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.log_martians\s*=\s*{{ sysctl_net_ipv4_conf_default_log_martians_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by
Default - Comment out any occurrences of net.ipv4.conf.default.log_martians
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.log_martians
replace: '#net.ipv4.conf.default.log_martians'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by
Default - Comment out any occurrences of net.ipv4.conf.default.log_martians
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.log_martians
replace: '#net.ipv4.conf.default.log_martians'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by
Default - Ensure sysctl net.ipv4.conf.default.log_martians is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.log_martians
value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_log_martians.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(3)(a)
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_conf_default_log_martians
- unknown_severity
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Find all files that contain net.ipv4.conf.default.rp_filter
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Find all files that set net.ipv4.conf.default.rp_filter to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.rp_filter\s*=\s*{{ sysctl_net_ipv4_conf_default_rp_filter_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.rp_filter
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.rp_filter
replace: '#net.ipv4.conf.default.rp_filter'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.rp_filter
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.rp_filter
replace: '#net.ipv4.conf.default.rp_filter'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
by Default - Ensure sysctl net.ipv4.conf.default.rp_filter is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.rp_filter
value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_rp_filter.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_rp_filter
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Set
fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find
all files that contain net.ipv4.conf.default.secure_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Find
all files that set net.ipv4.conf.default.secure_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.secure_redirects\s*=\s*{{ sysctl_net_ipv4_conf_default_secure_redirects_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Comment
out any occurrences of net.ipv4.conf.default.secure_redirects from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.secure_redirects
replace: '#net.ipv4.conf.default.secure_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Comment
out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.secure_redirects
replace: '#net.ipv4.conf.default.secure_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Configure Kernel Parameter for Accepting Secure Redirects By Default - Ensure
sysctl net.ipv4.conf.default.secure_redirects is set
ansible.posix.sysctl:
name: net.ipv4.conf.default.secure_redirects
value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_secure_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_secure_redirects
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040230
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- Find all files that contain net.ipv4.icmp_echo_ignore_broadcasts
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040230
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- Find all files that set net.ipv4.icmp_echo_ignore_broadcasts to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040230
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts
replace: '#net.ipv4.icmp_echo_ignore_broadcasts'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040230
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts
replace: '#net.ipv4.icmp_echo_ignore_broadcasts'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040230
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set
ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_icmp_echo_ignore_broadcasts.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040230
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Find all files that contain net.ipv4.icmp_ignore_bogus_error_responses
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Find all files that set net.ipv4.icmp_ignore_bogus_error_responses to correct
value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses
replace: '#net.ipv4.icmp_ignore_bogus_error_responses'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses
replace: '#net.ipv4.icmp_ignore_bogus_error_responses'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
- Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
ansible.posix.sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_icmp_ignore_bogus_error_responses.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- PCI-DSS-Req-1.4.3
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- low_complexity
- medium_disruption
- reboot_required
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- unknown_severity
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Set
fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find
all files that contain net.ipv4.tcp_syncookies
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.tcp_syncookies\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Find
all files that set net.ipv4.tcp_syncookies to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.tcp_syncookies\s*=\s*{{ sysctl_net_ipv4_tcp_syncookies_value
}}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Comment
out any occurrences of net.ipv4.tcp_syncookies from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.tcp_syncookies
replace: '#net.ipv4.tcp_syncookies'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Comment
out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.tcp_syncookies
replace: '#net.ipv4.tcp_syncookies'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces - Ensure
sysctl net.ipv4.tcp_syncookies is set
ansible.posix.sysctl:
name: net.ipv4.tcp_syncookies
value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}'
sysctl_file: /etc/sysctl.d/net_ipv4_tcp_syncookies.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5(1)
- NIST-800-53-SC-5(2)
- NIST-800-53-SC-5(3)(a)
- PCI-DSS-Req-1.4.1
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_tcp_syncookies
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040220
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Find all files that contain net.ipv4.conf.all.send_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040220
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Find all files that set net.ipv4.conf.all.send_redirects to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.all.send_redirects\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040220
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.send_redirects from config
files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.all.send_redirects
replace: '#net.ipv4.conf.all.send_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040220
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.all.send_redirects
replace: '#net.ipv4.conf.all.send_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040220
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
- Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.all.send_redirects
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_all_send_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040220
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_all_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040270
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Find all files that contain net.ipv4.conf.default.send_redirects
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040270
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Find all files that set net.ipv4.conf.default.send_redirects to
correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.conf.default.send_redirects\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040270
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.send_redirects
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.conf.default.send_redirects
replace: '#net.ipv4.conf.default.send_redirects'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040270
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Comment out any occurrences of net.ipv4.conf.default.send_redirects
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.conf.default.send_redirects
replace: '#net.ipv4.conf.default.send_redirects'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040270
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
by Default - Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0
ansible.posix.sysctl:
name: net.ipv4.conf.default.send_redirects
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_conf_default_send_redirects.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1.1
- DISA-STIG-OL08-00-040270
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.5
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_conf_default_send_redirects
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Set fact
for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all
files that contain net.ipv4.ip_forward
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.ip_forward\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Find all
files that set net.ipv4.ip_forward to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.ipv4.ip_forward\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Comment
out any occurrences of net.ipv4.ip_forward from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.ipv4.ip_forward
replace: '#net.ipv4.ip_forward'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Comment
out any occurrences of net.ipv4.ip_forward from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.ipv4.ip_forward
replace: '#net.ipv4.ip_forward'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - Ensure sysctl
net.ipv4.ip_forward is set to 0
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '0'
sysctl_file: /etc/sysctl.d/net_ipv4_ip_forward.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-5
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.3.1
- PCI-DSS-Req-1.3.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.3
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv4_ip_forward
- name: Ensure kernel module 'atm' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/atm.conf
regexp: install\s+atm
line: install atm /bin/false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040021
- NIST-800-53-AC-18
- disable_strategy
- kernel_module_atm_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'atm' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/atm.conf
regexp: ^blacklist atm$
line: blacklist atm
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040021
- NIST-800-53-AC-18
- disable_strategy
- kernel_module_atm_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'can' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/can.conf
regexp: install\s+can
line: install can /bin/false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040022
- NIST-800-53-AC-18
- disable_strategy
- kernel_module_can_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'can' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/can.conf
regexp: ^blacklist can$
line: blacklist can
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040022
- NIST-800-53-AC-18
- disable_strategy
- kernel_module_can_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'firewire-core' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/firewire-core.conf
regexp: install\s+firewire-core
line: install firewire-core /bin/false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040026
- NIST-800-53-AC-18
- disable_strategy
- kernel_module_firewire-core_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'firewire-core' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/firewire-core.conf
regexp: ^blacklist firewire-core$
line: blacklist firewire-core
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040026
- NIST-800-53-AC-18
- disable_strategy
- kernel_module_firewire-core_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'sctp' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/sctp.conf
regexp: install\s+sctp
line: install sctp /bin/false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1
- DISA-STIG-OL08-00-040023
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- kernel_module_sctp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'sctp' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/sctp.conf
regexp: ^blacklist sctp$
line: blacklist sctp
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.10.1
- DISA-STIG-OL08-00-040023
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-1.4.2
- PCI-DSSv4-1.4
- PCI-DSSv4-1.4.2
- disable_strategy
- kernel_module_sctp_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'tipc' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/tipc.conf
regexp: install\s+tipc
line: install tipc /bin/false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040024
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_tipc_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'tipc' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/tipc.conf
regexp: ^blacklist tipc$
line: blacklist tipc
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040024
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_tipc_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'bluetooth' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/bluetooth.conf
regexp: install\s+bluetooth
line: install bluetooth /bin/false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.13.1.3
- DISA-STIG-OL08-00-040111
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(3)
- NIST-800-53-AC-18(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- disable_strategy
- kernel_module_bluetooth_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Ensure kernel module 'bluetooth' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/bluetooth.conf
regexp: ^blacklist bluetooth$
line: blacklist bluetooth
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.13.1.3
- DISA-STIG-OL08-00-040111
- NIST-800-171-3.1.16
- NIST-800-53-AC-18(3)
- NIST-800-53-AC-18(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- disable_strategy
- kernel_module_bluetooth_disabled
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010374
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Find all files that
contain fs.protected_hardlinks
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_hardlinks\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010374
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Find all files that
set fs.protected_hardlinks to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_hardlinks\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010374
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Comment out any occurrences
of fs.protected_hardlinks from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*fs.protected_hardlinks
replace: '#fs.protected_hardlinks'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-010374
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Comment out any occurrences
of fs.protected_hardlinks from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*fs.protected_hardlinks
replace: '#fs.protected_hardlinks'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010374
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Hardlinks - Ensure sysctl fs.protected_hardlinks
is set to 1
ansible.posix.sysctl:
name: fs.protected_hardlinks
value: '1'
sysctl_file: /etc/sysctl.d/fs_protected_hardlinks.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010374
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_hardlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010373
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Find all files that
contain fs.protected_symlinks
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_symlinks\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010373
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Find all files that
set fs.protected_symlinks to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*fs.protected_symlinks\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010373
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Comment out any occurrences
of fs.protected_symlinks from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*fs.protected_symlinks
replace: '#fs.protected_symlinks'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-010373
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Comment out any occurrences
of fs.protected_symlinks from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*fs.protected_symlinks
replace: '#fs.protected_symlinks'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010373
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Enable Kernel Parameter to Enforce DAC on Symlinks - Ensure sysctl fs.protected_symlinks
is set to 1
ansible.posix.sysctl:
name: fs.protected_symlinks
value: '1'
sysctl_file: /etc/sysctl.d/fs_protected_symlinks.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010373
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_fs_protected_symlinks
- name: Ensure kernel module 'cramfs' is disabled
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/cramfs.conf
regexp: install\s+cramfs
line: install cramfs /bin/false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040025
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_cramfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: Ensure kernel module 'cramfs' is blacklisted
ansible.builtin.lineinfile:
create: true
dest: /etc/modprobe.d/cramfs.conf
regexp: ^blacklist cramfs$
line: blacklist cramfs
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040025
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable_strategy
- kernel_module_cramfs_disabled
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- name: 'Add nodev Option to /boot: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nodev
- no_reboot_needed
- name: 'Add nodev Option to /boot: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nodev
- no_reboot_needed
- name: 'Add nodev Option to /boot: If /boot not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /boot
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nodev
- no_reboot_needed
- name: 'Add nodev Option to /boot: Make sure nodev option is part of the to /boot
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nodev
- no_reboot_needed
- name: 'Add nodev Option to /boot: Ensure /boot is mounted with nodev option'
ansible.posix.mount:
path: /boot
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nodev
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010571
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-010571
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: If /boot not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /boot
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-010571
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Make sure nosuid option is part of the to /boot
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-010571
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /boot: Ensure /boot is mounted with nosuid option'
ansible.posix.mount:
path: /boot
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-010571
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_boot_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
ansible.builtin.command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-040120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to
/dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
ansible.posix.mount:
path: /dev/shm
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
| length == 0)
tags:
- DISA-STIG-OL08-00-040120
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nodev
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
ansible.builtin.command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-040122
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040122
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040122
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to
/dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040122
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
ansible.posix.mount:
path: /dev/shm
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
| length == 0)
tags:
- DISA-STIG-OL08-00-040122
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
ansible.builtin.command: findmnt '/dev/shm'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-040121
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040121
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /dev/shm
- tmpfs
- tmpfs
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040121
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to
/dev/shm options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040121
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option'
ansible.posix.mount:
path: /dev/shm
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or (""
| length == 0)
tags:
- DISA-STIG-OL08-00-040121
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_dev_shm_nosuid
- no_reboot_needed
- name: Add nodev Option to /home - Initialize variables
ansible.builtin.set_fact:
non_allowed_partitions:
- /
- /lib
- /opt
- /usr
- /bin
- /sbin
- /boot
- /dev
- /proc
home_directories: []
allowed_mount_point: []
fstab_mount_point_info: []
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: Add nodev Option to /home - Get home directories from passwd
ansible.builtin.getent:
database: passwd
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: Add nodev Option to /home - Filter home directories based on UID range
ansible.builtin.set_fact:
home_directories: '{{ home_directories + [item.data[4]] }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
- item.data[4] is defined
- item.data[2]|int >= 1000
- item.data[2]|int != 65534
- item.data[4] not in non_allowed_partitions
with_items: '{{ ansible_facts.getent_passwd | dict2items(key_name=''user'', value_name=''data'')}}'
tags:
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: Add nodev Option to /home - Gather mount points
ansible.builtin.setup:
filter: ansible_mounts
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: Add nodev Option to /home - Ensure mount options for home directories
block:
- name: ' Add nodev Option to /home - Obtain mount point using df and shell'
ansible.builtin.shell: |
df {{ item }} | awk '/^\/dev/ {print $6}'
register: df_output
with_items: '{{ home_directories }}'
- name: Add nodev Option to /home - Set mount point for each home directory
ansible.builtin.set_fact:
allowed_mount_point: '{{ allowed_mount_point + [item.stdout_lines[0]] }}'
with_items: '{{ df_output.results }}'
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
- item.stdout_lines[0] != ""
- name: Add nodev Option to /home - Obtain full mount information for allowed
mount point
ansible.builtin.set_fact:
fstab_mount_point_info: '{{ fstab_mount_point_info + [ ansible_mounts | selectattr(''mount'',
''equalto'', item) | first ]}}'
with_items: '{{ allowed_mount_point }}'
when: allowed_mount_point is defined
- name: Add nodev Option to /home - Ensure mount option nodev is in fstab for
allowed mount point
ansible.posix.mount:
path: '{{ item.mount }}'
src: '{{ item.device }}'
opts: '{{ item.options }},nodev'
state: mounted
fstype: '{{ item.fstype }}'
with_items: '{{ fstab_mount_point_info }}'
when:
- allowed_mount_point is defined
- item.mount not in non_allowed_partitions
- '''nodev'' not in item.options'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/home" in ansible_mounts | map(attribute="mount") | list'
tags:
- configure_strategy
- high_disruption
- low_complexity
- mount_option_home_nodev
- no_reboot_needed
- unknown_severity
- name: Add nosuid Option to /home - Initialize variables
ansible.builtin.set_fact:
non_allowed_partitions:
- /
- /lib
- /opt
- /usr
- /bin
- /sbin
- /boot
- /dev
- /proc
home_directories: []
allowed_mount_point: []
fstab_mount_point_info: []
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010570
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: Add nosuid Option to /home - Get home directories from passwd
ansible.builtin.getent:
database: passwd
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010570
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: Add nosuid Option to /home - Filter home directories based on UID range
ansible.builtin.set_fact:
home_directories: '{{ home_directories + [item.data[4]] }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- item.data[4] is defined
- item.data[2]|int >= 1000
- item.data[2]|int != 65534
- item.data[4] not in non_allowed_partitions
with_items: '{{ ansible_facts.getent_passwd | dict2items(key_name=''user'', value_name=''data'')}}'
tags:
- DISA-STIG-OL08-00-010570
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: Add nosuid Option to /home - Gather mount points
ansible.builtin.setup:
filter: ansible_mounts
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010570
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: Add nosuid Option to /home - Ensure mount options for home directories
block:
- name: ' Add nosuid Option to /home - Obtain mount point using df and shell'
ansible.builtin.shell: |
df {{ item }} | awk '/^\/dev/ {print $6}'
register: df_output
with_items: '{{ home_directories }}'
- name: Add nosuid Option to /home - Set mount point for each home directory
ansible.builtin.set_fact:
allowed_mount_point: '{{ allowed_mount_point + [item.stdout_lines[0]] }}'
with_items: '{{ df_output.results }}'
when:
- item.stdout_lines is defined
- item.stdout_lines | length > 0
- item.stdout_lines[0] != ""
- name: Add nosuid Option to /home - Obtain full mount information for allowed
mount point
ansible.builtin.set_fact:
fstab_mount_point_info: '{{ fstab_mount_point_info + [ ansible_mounts | selectattr(''mount'',
''equalto'', item) | first ]}}'
with_items: '{{ allowed_mount_point }}'
when: allowed_mount_point is defined
- name: Add nosuid Option to /home - Ensure mount option nosuid is in fstab for
allowed mount point
ansible.posix.mount:
path: '{{ item.mount }}'
src: '{{ item.device }}'
opts: '{{ item.options }},nosuid'
state: mounted
fstype: '{{ item.fstype }}'
with_items: '{{ fstab_mount_point_info }}'
when:
- allowed_mount_point is defined
- item.mount not in non_allowed_partitions
- '''nosuid'' not in item.options'
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010570
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_home_nosuid
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Refresh facts'
ansible.builtin.setup:
gather_subset: mounts
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010580
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Define excluded (non-local)
file systems'
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- autofs
- ceph
- cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
- vfat
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010580
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
are mounted with nodev option'
ansible.posix.mount:
path: '{{ item.mount }}'
src: '{{ item.device }}'
opts: '{{ item.options }},nodev'
state: mounted
fstype: '{{ item.fstype }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- item.mount is match('/\w')
- item.mount is not match('/(boot|efi)')
- item.options is not search('nodev')
- item.fstype not in excluded_fstypes
- (not accounts_polyinstantiated_var_tmp | default(false)) or item.mount != '/var/tmp/tmp-inst'
- (not accounts_polyinstantiated_tmp | default(false)) or item.mount != '/tmp/tmp-inst'
with_items:
- '{{ ansible_facts.mounts }}'
tags:
- DISA-STIG-OL08-00-010580
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
are present with nodev option in /etc/fstab'
ansible.builtin.replace:
path: /etc/fstab
regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(?!vfat\s)(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
replace: \1 \2 \3 \4,nodev \5
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- DISA-STIG-OL08-00-010580
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_nonroot_local_partitions
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040123
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040123
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040123
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Make sure nodev option is part of the to /tmp
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040123
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /tmp: Ensure /tmp is mounted with nodev option'
ansible.posix.mount:
path: /tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040123
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nodev
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Make sure noexec option is part of the to /tmp
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /tmp: Ensure /tmp is mounted with noexec option'
ansible.posix.mount:
path: /tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040125
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040124
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040124
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: If /tmp not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040124
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Make sure nosuid option is part of the to /tmp
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040124
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /tmp: Ensure /tmp is mounted with nosuid option'
ansible.posix.mount:
path: /tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040124
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_tmp_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040129
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040129
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: If /var/log/audit not mounted, craft
mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log/audit
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040129
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Make sure nodev option is part of the
to /var/log/audit options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040129
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log/audit: Ensure /var/log/audit is mounted with
nodev option'
ansible.posix.mount:
path: /var/log/audit
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040129
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nodev
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040131
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040131
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: If /var/log/audit not mounted, craft
mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log/audit
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040131
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Make sure noexec option is part of
the to /var/log/audit options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040131
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log/audit: Ensure /var/log/audit is mounted with
noexec option'
ansible.posix.mount:
path: /var/log/audit
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040131
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log/audit'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: If /var/log/audit not mounted, craft
mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log/audit
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Make sure nosuid option is part of
the to /var/log/audit options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log/audit: Ensure /var/log/audit is mounted with
nosuid option'
ansible.posix.mount:
path: /var/log/audit
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log/audit" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040130
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_audit_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040126
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040126
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: If /var/log not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040126
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Make sure nodev option is part of the to
/var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040126
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/log: Ensure /var/log is mounted with nodev option'
ansible.posix.mount:
path: /var/log
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040126
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nodev
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040128
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040128
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: If /var/log not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040128
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Make sure noexec option is part of the to
/var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040128
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/log: Ensure /var/log is mounted with noexec option'
ansible.posix.mount:
path: /var/log
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040128
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/log'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040127
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040127
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: If /var/log not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/log
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040127
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Make sure nosuid option is part of the to
/var/log options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040127
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/log: Ensure /var/log is mounted with nosuid option'
ansible.posix.mount:
path: /var/log
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/log" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040127
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_log_nosuid
- no_reboot_needed
- name: 'Add nodev Option to /var: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: If /var not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: Make sure nodev option is part of the to /var
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var: Ensure /var is mounted with nodev option'
ansible.posix.mount:
path: /var
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040132
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040132
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: If /var/tmp not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040132
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Make sure nodev option is part of the to
/var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nodev''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nodev" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040132
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add nodev Option to /var/tmp: Ensure /var/tmp is mounted with nodev option'
ansible.posix.mount:
path: /var/tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040132
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nodev
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040134
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040134
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: If /var/tmp not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040134
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Make sure noexec option is part of the to
/var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''noexec''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "noexec" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040134
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add noexec Option to /var/tmp: Ensure /var/tmp is mounted with noexec option'
ansible.posix.mount:
path: /var/tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040134
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_noexec
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint'
ansible.builtin.command: findmnt --fstab '/var/tmp'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
check_mode: false
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
tags:
- DISA-STIG-OL08-00-040133
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | map(''lower'') | list }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- DISA-STIG-OL08-00-040133
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: If /var/tmp not mounted, craft mount_info
manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /var/tmp
- ''
- ''
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- DISA-STIG-OL08-00-040133
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Make sure nosuid option is part of the to
/var/tmp options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~(mount_info.options
| default(''''))~('','' if (mount_info.options | default('''')) else '''')~''nosuid''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined and "nosuid" not in (mount_info.options | default(''))
tags:
- DISA-STIG-OL08-00-040133
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: 'Add nosuid Option to /var/tmp: Ensure /var/tmp is mounted with nosuid option'
ansible.posix.mount:
path: /var/tmp
src: '{{ mount_info.source | default('''') }}'
opts: '{{ mount_info.options | default('''') }}'
state: mounted
fstype: '{{ mount_info.fstype | default('''') }}'
register: mount_result
failed_when:
- mount_result is failed
- '''target is busy'' not in (mount_result.msg | default(''''))'
- '''already mounted'' not in (mount_result.msg | default(''''))'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- '"/var/tmp" in ansible_mounts | map(attribute="mount") | list'
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
| length == 0)
tags:
- DISA-STIG-OL08-00-040133
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_var_tmp_nosuid
- no_reboot_needed
- name: Disable storing core dumps - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010671
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_core_pattern
- name: Disable storing core dumps - Find all files that contain kernel.core_pattern
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.core_pattern\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010671
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_core_pattern
- name: Disable storing core dumps - Find all files that set kernel.core_pattern
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.core_pattern\s*=\s*\|/bin/false$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010671
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_core_pattern
- name: Disable storing core dumps - Comment out any occurrences of kernel.core_pattern
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.core_pattern
replace: '#kernel.core_pattern'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-010671
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_core_pattern
- name: Disable storing core dumps - Comment out any occurrences of kernel.core_pattern
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.core_pattern
replace: '#kernel.core_pattern'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010671
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_core_pattern
- name: Disable storing core dumps - Ensure sysctl kernel.core_pattern is set to
|/bin/false
ansible.posix.sysctl:
name: kernel.core_pattern
value: '|/bin/false'
sysctl_file: /etc/sysctl.d/kernel_core_pattern.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010671
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_core_pattern
- name: Restrict Access to Kernel Message Buffer - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Find all files that contain kernel.dmesg_restrict
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.dmesg_restrict\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Find all files that set kernel.dmesg_restrict
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.dmesg_restrict\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Comment out any occurrences of
kernel.dmesg_restrict from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.dmesg_restrict
replace: '#kernel.dmesg_restrict'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Comment out any occurrences of
kernel.dmesg_restrict from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.dmesg_restrict
replace: '#kernel.dmesg_restrict'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Restrict Access to Kernel Message Buffer - Ensure sysctl kernel.dmesg_restrict
is set to 1
ansible.posix.sysctl:
name: kernel.dmesg_restrict
value: '1'
sysctl_file: /etc/sysctl.d/kernel_dmesg_restrict.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010375
- NIST-800-171-3.1.5
- NIST-800-53-SI-11(a)
- NIST-800-53-SI-11(b)
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_dmesg_restrict
- name: Disable Kernel Image Loading - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"] and ( not ( "uek" in ansible_kernel ) ) )
tags:
- DISA-STIG-OL08-00-010372
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Find all files that contain kernel.kexec_load_disabled
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kexec_load_disabled\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"] and ( not ( "uek" in ansible_kernel ) ) )
tags:
- DISA-STIG-OL08-00-010372
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Find all files that set kernel.kexec_load_disabled
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kexec_load_disabled\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"] and ( not ( "uek" in ansible_kernel ) ) )
tags:
- DISA-STIG-OL08-00-010372
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Comment out any occurrences of kernel.kexec_load_disabled
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.kexec_load_disabled
replace: '#kernel.kexec_load_disabled'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
and ( not ( "uek" in ansible_kernel ) ) )
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-010372
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Comment out any occurrences of kernel.kexec_load_disabled
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.kexec_load_disabled
replace: '#kernel.kexec_load_disabled'
with_fileglob:
- /etc/sysctl.conf
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"] and ( not ( "uek" in ansible_kernel ) ) )
tags:
- DISA-STIG-OL08-00-010372
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disable Kernel Image Loading - Ensure sysctl kernel.kexec_load_disabled
is set to 1
ansible.posix.sysctl:
name: kernel.kexec_load_disabled
value: '1'
sysctl_file: /etc/sysctl.d/kernel_kexec_load_disabled.conf
state: present
reload: true
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"] and ( not ( "uek" in ansible_kernel ) ) )
tags:
- DISA-STIG-OL08-00-010372
- NIST-800-53-CM-6
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kexec_load_disabled
- name: Disallow kernel profiling by unprivileged users - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010376
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Find all files that contain
kernel.perf_event_paranoid
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_event_paranoid\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010376
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Find all files that set
kernel.perf_event_paranoid to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.perf_event_paranoid\s*=\s*2$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010376
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Comment out any occurrences
of kernel.perf_event_paranoid from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.perf_event_paranoid
replace: '#kernel.perf_event_paranoid'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-010376
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Comment out any occurrences
of kernel.perf_event_paranoid from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.perf_event_paranoid
replace: '#kernel.perf_event_paranoid'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010376
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disallow kernel profiling by unprivileged users - Ensure sysctl kernel.perf_event_paranoid
is set to 2
ansible.posix.sysctl:
name: kernel.perf_event_paranoid
value: '2'
sysctl_file: /etc/sysctl.d/kernel_perf_event_paranoid.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010376
- NIST-800-53-AC-6
- disable_strategy
- low_complexity
- low_severity
- medium_disruption
- reboot_required
- sysctl_kernel_perf_event_paranoid
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Set
fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040281
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Find
all files that contain kernel.unprivileged_bpf_disabled
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.unprivileged_bpf_disabled\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040281
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Find
all files that set kernel.unprivileged_bpf_disabled to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.unprivileged_bpf_disabled\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040281
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Comment
out any occurrences of kernel.unprivileged_bpf_disabled from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.unprivileged_bpf_disabled
replace: '#kernel.unprivileged_bpf_disabled'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040281
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Comment
out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.unprivileged_bpf_disabled
replace: '#kernel.unprivileged_bpf_disabled'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040281
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Disable Access to Network bpf() Syscall From Unprivileged Processes - Ensure
sysctl kernel.unprivileged_bpf_disabled is set to 1
ansible.posix.sysctl:
name: kernel.unprivileged_bpf_disabled
value: '1'
sysctl_file: /etc/sysctl.d/kernel_unprivileged_bpf_disabled.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040281
- NIST-800-53-AC-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_unprivileged_bpf_disabled
- name: Restrict usage of ptrace to descendant processes - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040282
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Find all files that contain
kernel.yama.ptrace_scope
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.yama.ptrace_scope\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040282
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Find all files that set
kernel.yama.ptrace_scope to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.yama.ptrace_scope\s*=\s*1$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040282
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Comment out any occurrences
of kernel.yama.ptrace_scope from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.yama.ptrace_scope
replace: '#kernel.yama.ptrace_scope'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040282
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Comment out any occurrences
of kernel.yama.ptrace_scope from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.yama.ptrace_scope
replace: '#kernel.yama.ptrace_scope'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040282
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Restrict usage of ptrace to descendant processes - Ensure sysctl kernel.yama.ptrace_scope
is set to 1
ansible.posix.sysctl:
name: kernel.yama.ptrace_scope
value: '1'
sysctl_file: /etc/sysctl.d/kernel_yama_ptrace_scope.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040282
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_yama_ptrace_scope
- name: Harden the operation of the BPF just-in-time compiler - Set fact for sysctl
paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040286
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Find all files that
contain net.core.bpf_jit_harden
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.core.bpf_jit_harden\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040286
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Find all files that
set net.core.bpf_jit_harden to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*net.core.bpf_jit_harden\s*=\s*2$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040286
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Comment out any
occurrences of net.core.bpf_jit_harden from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*net.core.bpf_jit_harden
replace: '#net.core.bpf_jit_harden'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040286
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Comment out any
occurrences of net.core.bpf_jit_harden from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*net.core.bpf_jit_harden
replace: '#net.core.bpf_jit_harden'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040286
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Harden the operation of the BPF just-in-time compiler - Ensure sysctl net.core.bpf_jit_harden
is set to 2
ansible.posix.sysctl:
name: net.core.bpf_jit_harden
value: '2'
sysctl_file: /etc/sysctl.d/net_core_bpf_jit_harden.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040286
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_core_bpf_jit_harden
- name: Disable the use of user namespaces - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040284
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_user_max_user_namespaces
- name: Disable the use of user namespaces - Find all files that contain user.max_user_namespaces
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*user.max_user_namespaces\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040284
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_user_max_user_namespaces
- name: Disable the use of user namespaces - Find all files that set user.max_user_namespaces
to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*user.max_user_namespaces\s*=\s*0$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040284
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_user_max_user_namespaces
- name: Disable the use of user namespaces - Comment out any occurrences of user.max_user_namespaces
from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*user.max_user_namespaces
replace: '#user.max_user_namespaces'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040284
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_user_max_user_namespaces
- name: Disable the use of user namespaces - Comment out any occurrences of user.max_user_namespaces
from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*user.max_user_namespaces
replace: '#user.max_user_namespaces'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040284
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_user_max_user_namespaces
- name: Disable the use of user namespaces - Ensure sysctl user.max_user_namespaces
is set to 0
ansible.posix.sysctl:
name: user.max_user_namespaces
value: '0'
sysctl_file: /etc/sysctl.d/user_max_user_namespaces.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040284
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-39
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_user_max_user_namespaces
- name: Disable acquiring, saving, and processing core dumps - Collect systemd Socket
Units Present in the System
ansible.builtin.command:
cmd: systemctl -q list-unit-files --type socket
register: result_systemd_unit_files
changed_when: false
check_mode: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010672
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_systemd-coredump_disabled
- name: Disable acquiring, saving, and processing core dumps - Ensure systemd-coredump.socket
is Masked
ansible.builtin.systemd:
name: systemd-coredump.socket
state: stopped
enabled: false
masked: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- result_systemd_unit_files.stdout_lines is search("systemd-coredump.socket")
tags:
- DISA-STIG-OL08-00-010672
- NIST-800-53-SC-7(10)
- disable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_systemd-coredump_disabled
- name: Disable core dump backtraces - Search for a section in files
ansible.builtin.find:
paths: '{{item.path}}'
patterns: '{{item.pattern}}'
contains: ^\s*\[Coredump\]
read_whole_file: true
use_regex: true
register: systemd_dropin_files_with_section
loop:
- path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}'
pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}'
- path: /etc/systemd/coredump.conf.d
pattern: .*\.conf
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010675
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable core dump backtraces - Count number of files which contain the correct
section
ansible.builtin.set_fact:
count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results
| map(attribute=''matched'') | list | map(''int'') | sum}}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010675
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable core dump backtraces - Add missing configuration to correct section
community.general.ini_file:
path: '{{item}}'
section: Coredump
option: ProcessSizeMax
value: '0'
state: present
no_extra_spaces: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int > 0
loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'',
start=[]) | map(attribute=''path'') | list }}'
tags:
- DISA-STIG-OL08-00-010675
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable core dump backtraces - Add configuration to new remediation file
community.general.ini_file:
path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf
section: Coredump
option: ProcessSizeMax
value: '0'
state: present
no_extra_spaces: true
create: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int == 0
tags:
- DISA-STIG-OL08-00-010675
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_backtraces
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Search for a section in files
ansible.builtin.find:
paths: '{{item.path}}'
patterns: '{{item.pattern}}'
contains: ^\s*\[Coredump\]
read_whole_file: true
use_regex: true
register: systemd_dropin_files_with_section
loop:
- path: '{{ ''/etc/systemd/coredump.conf'' | dirname }}'
pattern: '{{ ''/etc/systemd/coredump.conf'' | basename | regex_escape }}'
- path: /etc/systemd/coredump.conf.d
pattern: .*\.conf
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010674
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Count number of files which contain the correct
section
ansible.builtin.set_fact:
count_of_systemd_dropin_files_with_section: '{{systemd_dropin_files_with_section.results
| map(attribute=''matched'') | list | map(''int'') | sum}}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010674
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Add missing configuration to correct section
community.general.ini_file:
path: '{{item}}'
section: Coredump
option: Storage
value: none
state: present
no_extra_spaces: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int > 0
loop: '{{systemd_dropin_files_with_section.results | sum(attribute=''files'',
start=[]) | map(attribute=''path'') | list }}'
tags:
- DISA-STIG-OL08-00-010674
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable storing core dump - Add configuration to new remediation file
community.general.ini_file:
path: /etc/systemd/coredump.conf.d/complianceascode_hardening.conf
section: Coredump
option: Storage
value: none
state: present
no_extra_spaces: true
create: true
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"systemd" in ansible_facts.packages'
- count_of_systemd_dropin_files_with_section | int == 0
tags:
- DISA-STIG-OL08-00-010674
- NIST-800-53-CM-6
- PCI-DSS-Req-3.2
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- coredump_disable_storage
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Set dirs, files and regex variables
ansible.builtin.set_fact:
limits_dropin_dir: /etc/security/limits.d
limits_dropin_file: /etc/security/limits.d/10-ssg-hardening.conf
limits_main_file: /etc/security/limits.conf
limits_correct_regex: ^\s*\*\s+hard\s+core\s+0\s*$
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Find valid drop-ins for core limit
ansible.builtin.find:
paths: '{{ limits_dropin_dir }}'
patterns: '*.conf'
contains: '{{ limits_correct_regex }}'
file_type: file
register: valid_dropins
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Find all drop-ins with any core limit
ansible.builtin.find:
paths: '{{ limits_dropin_dir }}'
patterns: '*.conf'
contains: ^\s*\*\s+hard\s+core\s+
file_type: file
register: all_dropins
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Get invalid drop-ins
ansible.builtin.set_fact:
invalid_dropins: '{{ all_dropins.files | rejectattr(''path'', ''in'', valid_dropins.files
| map(attribute=''path'') | list) | map(attribute=''path'') | list }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Comment invalid * hard core lines in
drop-ins
ansible.builtin.replace:
path: '{{ item }}'
regexp: (^\s*\*\s+hard\s+core\s+.*$)
replace: '#\1'
loop: '{{ invalid_dropins }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- invalid_dropins | length > 0
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Check if main limits.conf contains correct
core limit
ansible.builtin.find:
paths: /etc/security
patterns: limits.conf
contains: '{{ limits_correct_regex }}'
file_type: file
register: main_valid
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not (valid_dropins.matched | default(0) > 0)
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Set fact if configuration is valid
ansible.builtin.set_fact:
core_limit_valid: '{{ (valid_dropins.matched | default(0)) > 0 or (main_valid.matched
| default(0)) > 0 }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Ensure drop-in directory exists
ansible.builtin.file:
path: '{{ limits_dropin_dir }}'
state: directory
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not core_limit_valid
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Core Dumps for All Users - Deploy 10-ssg-hardening.conf drop-in
with correct core limit
ansible.builtin.copy:
dest: '{{ limits_dropin_file }}'
content: |
* hard core 0
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"pam" in ansible_facts.packages'
- not core_limit_valid
tags:
- DISA-STIG-OL08-00-010673
- NIST-800-53-CM-6
- NIST-800-53-SC-7(10)
- PCI-DSSv4-3.3
- PCI-DSSv4-3.3.1
- PCI-DSSv4-3.3.1.1
- disable_users_coredumps
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Restrict Exposed Kernel Pointer Addresses Access - Set fact for sysctl paths
ansible.builtin.set_fact:
sysctl_paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040283
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that contain
kernel.kptr_restrict
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kptr_restrict\s*=\s*.*$'
register: find_all_values
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040283
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Find all files that set
kernel.kptr_restrict to correct value
ansible.builtin.shell:
cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-HP '^\s*kernel.kptr_restrict\s*=\s*{{ sysctl_kernel_kptr_restrict_value }}$'
register: find_correct_value
check_mode: false
changed_when: false
failed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040283
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
of kernel.kptr_restrict from config files
ansible.builtin.replace:
path: '{{ item | split(":") | first }}'
regexp: ^[\s]*kernel.kptr_restrict
replace: '#kernel.kptr_restrict'
loop: '{{ find_all_values.stdout_lines }}'
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines
| length > find_correct_value.stdout_lines | length
tags:
- DISA-STIG-OL08-00-040283
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Comment out any occurrences
of kernel.kptr_restrict from /etc/sysctl.conf
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^[\s]*kernel.kptr_restrict
replace: '#kernel.kptr_restrict'
with_fileglob:
- /etc/sysctl.conf
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040283
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Restrict Exposed Kernel Pointer Addresses Access - Ensure sysctl kernel.kptr_restrict
is set
ansible.posix.sysctl:
name: kernel.kptr_restrict
value: '{{ sysctl_kernel_kptr_restrict_value }}'
sysctl_file: /etc/sysctl.d/kernel_kptr_restrict.conf
state: present
reload: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040283
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-30
- NIST-800-53-SC-30(2)
- NIST-800-53-SC-30(5)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_kptr_restrict
- name: Check if page_poison argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010421
- NIST-800-53-CM-6(a)
- grub2_page_poison_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check if page_poison argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010421
- NIST-800-53-CM-6(a)
- grub2_page_poison_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="page_poison=1"
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
- (grubby_info.stdout is not search('page_poison=1')) or ((etc_default_grub['content']
| b64decode) is not search('page_poison=1'))
tags:
- DISA-STIG-OL08-00-010421
- NIST-800-53-CM-6(a)
- grub2_page_poison_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check if slub_debug argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010423
- NIST-800-53-CM-6(a)
- grub2_slub_debug_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Check if slub_debug argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010423
- NIST-800-53-CM-6(a)
- grub2_slub_debug_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="slub_debug={{
var_slub_debug_options }}"
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
- (grubby_info.stdout is not search('slub_debug=' ~ var_slub_debug_options)) or
((etc_default_grub['content'] | b64decode) is not search('slub_debug=' ~ var_slub_debug_options))
tags:
- DISA-STIG-OL08-00-010423
- NIST-800-53-CM-6(a)
- grub2_slub_debug_argument
- low_disruption
- medium_complexity
- medium_severity
- reboot_required
- restrict_strategy
- name: Configure SELinux Policy
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUXTYPE=
line: SELINUXTYPE={{ var_selinux_policy_name }}
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010450
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- selinux_policytype
- name: Ensure SELinux State is Enforcing - Check current SELinux state
ansible.builtin.command:
cmd: getenforce
register: current_selinux_state
check_mode: false
changed_when: false
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010170
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/selinux/config
ansible.builtin.lineinfile:
path: /etc/selinux/config
create: true
regexp: (?i)^SELINUX=
line: SELINUX={{ var_selinux_state }}
state: present
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010170
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Ensure SELinux State is Enforcing - Mark system to relabel SELinux on next
boot
ansible.builtin.file:
path: /.autorelabel
state: touch
access_time: preserve
modification_time: preserve
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- current_selinux_state.stdout | lower != var_selinux_state
tags:
- DISA-STIG-OL08-00-010170
- NIST-800-171-3.1.2
- NIST-800-171-3.7.2
- NIST-800-53-AC-3
- NIST-800-53-AC-3(3)(a)
- NIST-800-53-AU-9
- NIST-800-53-SC-7(21)
- PCI-DSSv4-1.2
- PCI-DSSv4-1.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- selinux_state
- name: Find keytab files
ansible.builtin.find:
paths: /etc/
patterns: '*.keytab'
register: keytab_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010161
- disable_strategy
- kerberos_disable_no_keytab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Remove keytab files
ansible.builtin.file:
path: '{{ item.path }}'
state: absent
with_items: '{{ keytab_files.files }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010161
- disable_strategy
- kerberos_disable_no_keytab
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Disable chrony daemon from acting as server
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/chrony.conf
create: true
regexp: (?i)^\s*port\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/chrony.conf
ansible.builtin.lineinfile:
path: /etc/chrony.conf
create: true
regexp: (?i)^\s*port\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/chrony.conf
ansible.builtin.lineinfile:
path: /etc/chrony.conf
create: true
regexp: (?i)^\s*port\s+
line: port 0
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-030741
- NIST-800-53-AU-12(1)
- NIST-800-53-AU-8(1)
- chronyd_client_only
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Disable network management of chrony daemon
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/chrony.conf
create: true
regexp: (?i)^\s*cmdport\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/chrony.conf
ansible.builtin.lineinfile:
path: /etc/chrony.conf
create: true
regexp: (?i)^\s*cmdport\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/chrony.conf
ansible.builtin.lineinfile:
path: /etc/chrony.conf
create: true
regexp: (?i)^\s*cmdport\s+
line: cmdport 0
state: present
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"chrony" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-030742
- NIST-800-53-CM-7(1)
- chronyd_no_chronyc_network
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Ensure RekeyLimit is not configured in /etc/ssh/ssh_config
ansible.builtin.lineinfile:
path: /etc/ssh/ssh_config
create: false
regexp: ^\s*RekeyLimit.*$
state: absent
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_rekey_limit
- name: Collect all include config files for ssh client which configure RekeyLimit
ansible.builtin.find:
paths: /etc/ssh/ssh_config.d/
contains: ^[\s]*RekeyLimit.*$
patterns: '*.config'
register: ssh_config_include_files
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_rekey_limit
- name: Remove all occurrences of RekeyLimit configuration from include config files
of ssh client
ansible.builtin.lineinfile:
path: '{{ item }}'
regexp: ^[\s]*RekeyLimit.*$
state: absent
loop: '{{ ssh_config_include_files.files }}'
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_rekey_limit
- name: Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }}
{{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf
ansible.builtin.lineinfile:
path: /etc/ssh/ssh_config.d/02-rekey-limit.conf
create: true
regexp: ^\s*RekeyLimit.*$
line: RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time
}}
state: present
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_rekey_limit
- name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh
ansible.builtin.lineinfile:
path: /etc/profile.d/cc-ssh-strong-rng.csh
regexp: ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$
line: setenv SSH_USE_STRONG_RNG 32
state: present
create: true
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_use_strong_rng_csh
- name: Ensure that the configuration is not overridden in /etc/profile
ansible.builtin.lineinfile:
path: /etc/profile
regexp: ^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$
state: absent
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_use_strong_rng_csh
- name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh
ansible.builtin.lineinfile:
path: /etc/profile.d/cc-ssh-strong-rng.sh
regexp: ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
line: export SSH_USE_STRONG_RNG=32
state: present
create: true
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_use_strong_rng_sh
- name: Ensure that the configuration is not overridden in /etc/profile
ansible.builtin.lineinfile:
path: /etc/profile
regexp: ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
state: absent
tags:
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- ssh_client_use_strong_rng_sh
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive_0
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*ClientAliveCountMax.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive_0
- name: Set SSH Client Alive Count Max to zero
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
line: ClientAliveCountMax 0
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive_0
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010201
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*ClientAliveInterval.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010201
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Set SSH Client Alive Interval
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*ClientAliveInterval\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*ClientAliveInterval\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*ClientAliveInterval\s+
line: ClientAliveInterval {{ sshd_idle_timeout_value }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010201
- NIST-800-171-3.1.11
- NIST-800-53-AC-12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-2(5)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-10
- PCI-DSS-Req-8.1.8
- PCI-DSSv4-8.2
- PCI-DSSv4-8.2.8
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*HostbasedAuthentication.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Disable Host-Based Authentication
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
line: HostbasedAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-3
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.1
- disable_host_auth
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-020330
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*PermitEmptyPasswords.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-020330
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Disable SSH Access via Empty Passwords
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
line: PermitEmptyPasswords no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-020330
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010522
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*GSSAPIAuthentication.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010522
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Disable GSSAPI Authentication
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
line: GSSAPIAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010522
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010521
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*KerberosAuthentication.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010521
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Disable Kerberos Authentication
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*KerberosAuthentication\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*KerberosAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*KerberosAuthentication\s+
line: KerberosAuthentication no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010521
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010550
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*PermitRootLogin.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010550
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Disable SSH Root Login
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*PermitRootLogin\s+
line: PermitRootLogin no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010550
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6(2)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-IA-2
- NIST-800-53-IA-2(5)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2
- PCI-DSSv4-2.2.6
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010500
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*StrictModes.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010500
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Enable Use of Strict Mode Checking
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*StrictModes\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*StrictModes\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*StrictModes\s+
line: StrictModes yes
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010500
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-6
- NIST-800-53-CM-6(a)
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010040
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*Banner.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010040
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Enable SSH Warning Banner
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*Banner\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*Banner\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*Banner\s+
line: Banner /etc/issue
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- CJIS-5.5.6
- DISA-STIG-OL08-00-010040
- NIST-800-171-3.1.9
- NIST-800-53-AC-17(a)
- NIST-800-53-AC-8(a)
- NIST-800-53-AC-8(c)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-2.2.4
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
- name: Find sshd_config included files
ansible.builtin.shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040161
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sshd_rekey_limit
- name: Comment conf from included files
ansible.builtin.replace:
path: '{{ item }}'
regexp: ^(\s*RekeyLimit.*)$
replace: '# \1'
loop: '{{ sshd_config_included_files.stdout_lines }}'
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040161
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sshd_rekey_limit
- name: Force frequent session key renegotiation
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*RekeyLimit\s+
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*RekeyLimit\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd_config
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*RekeyLimit\s+
line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }}
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-040161
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- sshd_rekey_limit
- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32'
in '/etc/sysconfig/sshd'
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/sysconfig/sshd
create: true
regexp: (?i)^\s*SSH_USE_STRONG_RNG=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/sysconfig/sshd
ansible.builtin.lineinfile:
path: /etc/sysconfig/sshd
create: true
regexp: (?i)^\s*SSH_USE_STRONG_RNG=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/sysconfig/sshd
ansible.builtin.lineinfile:
path: /etc/sysconfig/sshd
create: true
regexp: (?i)^\s*SSH_USE_STRONG_RNG=
line: SSH_USE_STRONG_RNG=32
state: present
insertbefore: ^# SSH_USE_STRONG_RNG
validate: /usr/bin/bash -n %s
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-010292
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- sshd_use_strong_rng
- name: Log USBGuard daemon audit events using Linux Audit
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
regexp: (?i)^[ \\t]*AuditBackend=
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/usbguard/usbguard-daemon.conf
ansible.builtin.lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
regexp: (?i)^[ \\t]*AuditBackend=
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/usbguard/usbguard-daemon.conf
ansible.builtin.lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
regexp: (?i)^[ \\t]*AuditBackend=
line: AuditBackend=LinuxAudit
state: present
when:
- ( ansible_architecture != "s390x" and ("kernel" in ansible_facts.packages or
"kernel-uek" in ansible_facts.packages) )
- '"usbguard" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-030603
- NIST-800-53-AU-2
- NIST-800-53-CM-8(3)
- NIST-800-53-IA-3
- configure_strategy
- configure_usbguard_auditbackend
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- name: Allow HID devices and hubs
ansible.builtin.lineinfile:
path: /etc/usbguard/rules.conf
create: true
regexp: ''
line: allow with-interface match-all { 03:*:* 09:00:* }
state: present
when: ( ansible_architecture != "s390x" and ("kernel" in ansible_facts.packages
or "kernel-uek" in ansible_facts.packages) )
tags:
- NIST-800-53-CM-8(3)
- NIST-800-53-IA-3
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- usbguard_allow_hid_and_hub
- name: Check if audit argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL08-00-030601
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-10
- NIST-800-53-AU-14(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- PCI-DSS-Req-10.3
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if audit argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL08-00-030601
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-10
- NIST-800-53-AU-14(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- PCI-DSS-Req-10.3
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit=1"
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
- (grubby_info.stdout is not search('audit=1')) or ((etc_default_grub['content']
| b64decode) is not search('audit=1'))
tags:
- CJIS-5.4.1.1
- DISA-STIG-OL08-00-030601
- NIST-800-171-3.3.1
- NIST-800-53-AC-17(1)
- NIST-800-53-AU-10
- NIST-800-53-AU-14(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-IR-5(1)
- PCI-DSS-Req-10.3
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if audit_backlog_limit argument is already present in /etc/default/grub
ansible.builtin.slurp:
src: /etc/default/grub
register: etc_default_grub
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-030602
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Check if audit_backlog_limit argument is already present
ansible.builtin.command: /sbin/grubby --info=ALL
register: grubby_info
check_mode: false
changed_when: false
failed_when: false
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-030602
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Update grub defaults and the bootloader menu
ansible.builtin.command: /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit={{
var_audit_backlog_limit }}"
when:
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
- '"grub2-common" in ansible_facts.packages'
- (grubby_info.stdout is not search('audit_backlog_limit=' ~ var_audit_backlog_limit))
or ((etc_default_grub['content'] | b64decode) is not search('audit_backlog_limit='
~ var_audit_backlog_limit))
tags:
- DISA-STIG-OL08-00-030602
- NIST-800-53-CM-6(a)
- PCI-DSSv4-10.7
- PCI-DSSv4-10.7.2
- grub2_audit_backlog_limit_argument
- low_disruption
- low_severity
- medium_complexity
- reboot_required
- restrict_strategy
- name: Configure auditd Flush Priority
ansible.builtin.lineinfile:
dest: /etc/audit/auditd.conf
regexp: ^\s*flush\s*=\s*.*$
line: flush = {{ var_auditd_flush }}
state: present
create: true
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-171-3.3.1
- NIST-800-53-AU-11
- NIST-800-53-CM-6(a)
- auditd_data_retention_flush
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set number of records to cause an explicit flush to audit logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*freq\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*freq\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*freq\s*=\s*
line: freq = {{ var_auditd_freq }}
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6
- auditd_freq
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Include Local Events in Audit Logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*local_events\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*local_events\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*local_events\s*=\s*
line: local_events = yes
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-030061
- NIST-800-53-CM-6
- auditd_local_events
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Resolve information before writing to audit logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*log_format\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*log_format\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*log_format\s*=\s*
line: log_format = ENRICHED
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-030063
- NIST-800-53-AU-3
- NIST-800-53-CM-6
- auditd_log_format
- low_complexity
- low_disruption
- low_severity
- no_reboot_needed
- restrict_strategy
- name: Set type of computer node name logging in audit logs - Define Value to Be
Used in the Remediation
ansible.builtin.set_fact: auditd_name_format_split="{{ var_auditd_name_format.split('|')[0]
}}"
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-030062
- NIST-800-53-AU-3
- NIST-800-53-CM-6
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.2
- auditd_name_format
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Set type of computer node name logging in audit logs
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*name_format\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*name_format\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*name_format\s*=\s*
line: name_format = {{ auditd_name_format_split }}
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- DISA-STIG-OL08-00-030062
- NIST-800-53-AU-3
- NIST-800-53-CM-6
- PCI-DSSv4-10.2
- PCI-DSSv4-10.2.2
- auditd_name_format
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Write Audit Logs to the Disk
block:
- name: Check for duplicate values
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*write_logs\s*=\s*
state: absent
check_mode: true
changed_when: false
register: dupes
- name: Deduplicate values from /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*write_logs\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/audit/auditd.conf
ansible.builtin.lineinfile:
path: /etc/audit/auditd.conf
create: true
regexp: (?i)(?i)^\s*write_logs\s*=\s*
line: write_logs = yes
state: present
when:
- '"audit" in ansible_facts.packages'
- ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-CM-6
- auditd_write_logs
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules according
to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
content: |
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of unsuccessful file accesses - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
content: |
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of successful file accesses - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_access_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/10-base-config.rules according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/10-base-config.rules
content: |+
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 60000
## Set failure mode to syslog
-f 1
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_basic_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure basic parameters of Audit system - Remove any permissions from
group and other
ansible.builtin.file:
path: /etc/audit/rules.d/10-base-config.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_basic_configuration
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules according
to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
content: |
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_create_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of unsuccessful file creations - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_create_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
content: |
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_create_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of successful file creations - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_create_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules according
to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
content: |
## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_delete_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of unsuccessful file deletions - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_delete_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
content: |
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_delete_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of successful file deletions - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_delete_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/11-loginuid.rules according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/11-loginuid.rules
content: |+
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_immutable_login_uids
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure immutable Audit login UIDs - Remove any permissions from group
and other
ansible.builtin.file:
path: /etc/audit/rules.d/11-loginuid.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_immutable_login_uids
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules according
to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
content: |
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_modify_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of unsuccessful file modifications - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_modify_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
content: |
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_modify_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of successful file modifications - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_modify_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/43-module-load.rules according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/43-module-load.rules
content: |
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_module_load
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of loading and unloading of kernel modules - Remove any
permissions from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/43-module-load.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_module_load
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42.rules according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42.rules
content: |+
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/
## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
## User enable and disable. This is entirely handled by pam.
## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
## Watch for configuration changes to privilege escalation.
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
## Audit log access
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
## Attempts to modify MAC controls
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
## Software updates. This is entirely handled by rpm.
## System start and shutdown. This is entirely handled by systemd
## Kernel Module loading. This is handled in 43-module-load.rules
## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_ospp_general
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Perform general configuration of Audit for OSPP - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_ospp_general
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
content: |
## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_owner_change_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of unsuccessful ownership changes - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_owner_change_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
content: |
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_owner_change_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of successful ownership changes - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_owner_change_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
content: |
## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_perm_change_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of unsuccessful permission changes - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_perm_change_failed
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
according to policy
ansible.builtin.copy:
dest: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
content: |
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
force: true
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_perm_change_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: Configure auditing of successful permission changes - Remove any permissions
from group and other
ansible.builtin.file:
path: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
mode: g-rwx,o-rwx
state: touch
when: ("kernel" in ansible_facts.packages or "kernel-uek" in ansible_facts.packages)
tags:
- NIST-800-53-AU-2(a)
- audit_perm_change_success
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy